I have a question about Azure Blob storage, whenever I make the Blob Public Access Disabled we’re unable to successfully access anything inside the container, is it anything I need to set? Like encoded call?
You will need to have some kind of authorization. Refer to THIS documentation. The safest is to use Azure active directory.
Another option is to use a container level shared access signature or SAS as shown in the screenshot. The signature is signed using the storage account key and can be set to be valid for a specific period. On clicking Generate SAS, you will get a url which you can use to direct access your container. You can also have blob level SAS if needed for a specific blob.
Related
Me and my team are using Azure Synapse Analytics to ingest data from a REST API to a Azure Data Lake Storage Gen2, in order to create views automatically.
The only way we could manage to do this in our Workspace was by previously changing the Public Access Level to the Container inside our Storage Account to "Container (anonymous read access for containers and blobs)".
Is there any way to avoid doing this, and just enable this level of access to specific containers for a limited amount of users / IPs, while keeping it "Private (no anonymous access)"?
Click to Azure Portal view of the Containers inside a certain Storage Account resource
Yes, you can use Shared Access Signatures for it. You can find more information in here:
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
I do agree with #Thiago Custodio and #Nandan, we can use SAS Token and URL for limited access to Container in the storage accounts.
To get SAS token:
Firstly, open the storage account, then click on container.
Then click on your container and then click on Shared Access tokens as below.
Then you can select what access you want to give access as below. Then Generate the token.
The token comes as below, now you can send this token to whom you want to give access your container.
Alternatively, you can also create a private endpoint as below:
Firstly, click on Networking, the click on Private endpoint connections and then (+) create a end point.
Now this Container can be accessed from the Virtual Machine integrated with this private endpoint.
I am using Azure Storage to save some files. I want these files to be publicly available on a temporary basis. Currently, I'm saving them via an azure storage file service. Each file is give a URL of the structure ./[file-share]/[directory]/[file-name].[ext].
My question is, is there a way to make this URL publicly available? I do not see a way. If there isn't, is there some recommended way to make a file public available? I do not see a way to do this via a file service.
My question is, is there a way to make this URL publicly available?
One possible solution would be to create a Shared Access Signature (SAS) on the file in question with at least Read permission and share SAS URL with your users. You mentioned that you want the file to be publicly available on a temporary basis and for that SAS would perfectly fit the bill. You can set the SAS expiry based on your needs and once the SAS token expires, the file will no longer be available.
Other option would be to use Blob Storage instead of File Service. Here not only you can use Shared Access Signature but also change the container's ACL. By making the container's ACL as Blob, the blob (file) will be publicly available.
I want to upload some static images that I will later access via some mobile apps. I have an Azure Account that I rarely use so I thought that was the best place and therefore I uploaded them to a "File Share" within Azure Storage.
I naievely thought I could them just access those files via a simple web request url
https://myplace.file.core.windows.net/app/images/bnb/shop/bugle_200_2.jpg
All this gets me is a BadRequest error. I realize that I could create a Shared Access Signature (SAS) for every file but that seems total overkill.
Is there a better Azure feature to use? I do not want to have to use the Azure APIs to get at these files
Adding a few more points to #CtrlDot's excellent answer.
I completely agree that you should use Blob Storage for storing static content.
On the container permissions, I would actually recommend setting the permission (ACL) to Blob so that user can only view the blob they have the URL for and not enumerate all blobs in a container (setting container ACL to Container will enable the users to list blobs in a container which may not be a desired behaviour for you).
Other than these, there are two distinct advantage of using Blob Storage:
Custom domain: You can map blob storage to a custom domain (e.g. static content.mywebsite.com) and use that to serve the content instead of using Azure Blob Storage standard endpoint (your account.blob.core.windows.net).
CDN: You can also CDN enable your blob storage endpoint. The content will then be replicated across many CDN nodes spread throughout the globe and will be served from a node near to your user thus improving the user experience.
I think the service you should be looking to use is blob storage, not file storage. File storage, as per the documentation, is meant more for SMB shares.
When you setup Azure blob storage, you have a couple of different options. If there is nothing sensitive/secure about these static images, you could consider making a public container and simply accessing the files like that.
If you require authentication, then you need to either use azure storage access keys, or azure storage access tokens. Of the two, the storage access tokens are by far the most secure.
You wouldn't need to create a SAS token for each file, rather, grant it read permission to the container. Once again, you will have to tailor this to the security/sensitivity needs of your application.
I have two Azure Blob Storage containers. Container A and B. I would like to grant Read only access to another Azure User for Container-A. The second container Container-B should not be visible to the Azure user. The Azure user will be accessing the blobs in Container-A from his Azure Virtual Machine. How do I achieve this? Reading on the web seems that I would need to generate Shared Access Signature, but how I am not sure.
Exactly, that is the scenario where you want to use SAS.
First, please read the Azure Storage security guidance to make sure that you are aware of all of the available options.
Here is the very helpful guidance on the SAS model.
Second, you need to generate the SAS with policies (please, refer to the guidances above). It can be done programmatically (sources are available in the guidance) and then you may give that SAS link to user you want anyway you want - it can be the online page where the user can grab the string, or you can write the simple tool to generate the SAS. Be aware, however, that they have the "life" and you need to renew them periodically.
I would like to configure Access Key(s) for a specific Blob or File Share inside a storage account.
Until now I had only found via UI and Docs ability to set Access Keys global to the entire storage account.
Is there a way to do that?
You need to use Shared Access Signatures for that which is the string that defines the access, policies of access, expiration time, etc. There is no way to do that using Access Key or something like else on the blob level.
SAS overview
How to do that
Highly recommend to review the Azure Storage security guidance.