RBAC permissions still needed in Storage Account with anonymous access

[kimjamia]

My image template has a "Shell" type customization option that downloads a script from Azure Blob Storage. For rapid PoC purposes I allowed anonymous access to container (but didn't allow anonymous enumeration). Then I ran the following command:

az resource create --resource-group rg-images --properties @image-builder-template.json --is-full-object --resource-type Microsoft.VirtualMachineImages/imageTemplates --name MyImage

But it gives me an error:

(Unauthorized) Not authorized to access the resource: https://***.blob.core.windows.net/***/install-software.sh. Please check the user assigned identity has the correct permissions. For more details, go to https://aka.ms/azvmimagebuilderts.

If I grant the user-assigned identity Storage Blob Data Reader permissions to the container, it starts working.

I think it doesn't make sense it requires RBAC permissions if anonymous access is already allowed. I tested that I was able to anonymously access the script file using my browser in incognito.

[kimjamia]

I think this is a bug. I don't need support as I was able to work around the issue but maybe this should still be fixed?