I would like to check my understanding of azure sas token.
we can access a BLOB storage using SAS token instead of azureAD certification. Does this mean that a person who does not have azure account can access a BLOB storage???
Or a person who has azure account can use SAS token and access a BLOB storage.
Yes, a person or script that has a SAS token can access BLOB storage, according to the permissions set in the token. That person or script does not need to have an azure account. Of course, that person would not be able to use the Azure portal to see the blob container, but he can access the storage account using programatically using the Azure API. He can also fetch blobs using HTTP GET requests.
As an example, I have a build script that pushes to storage and a deploy script to read from storage. These scripts contain the access token so they can run from any machine.
If I wanted to revoke the privileges of that access token I would need to replace the key that I used to generate the token with.
Related
Per my understanding, there are two types of SAS tokens when it comes to Azure Storage Account.
Account-level SAS tokens
Blob container/Queue level SAS token
I observed that if we do not choose to use the primary/secondary keys to authenticate with the storage account and use the account level SAS tokens as an authentication mechanism then I can not create the Blob container level SAS tokens using Stored Access Signature. Why is that? Is there a way to make it work? I do not want to provide access to my service to the account level keys and want to create SAS tokens to implement the RBAC at the runtime, is there any way for same?
I observed that if we do not choose to use the primary/secondary keys
to authenticate with the storage account and use the account level SAS
tokens as an authentication mechanism then I can not create the Blob
container level SAS tokens using Stored Access Signature. Why is that?
This is by design. A container level SAS only lets you work at the container level where you can perform operations on the blobs inside that container. Creation of a blob container is an account level activity and thus you would need to use an Account SAS. At this time, Account SAS do not have a concept of Shared Access Policy.
I do not want to provide access to my service to the account level
keys and want to create SAS tokens to implement the RBAC at the
runtime, is there any way for same?
Yes, there is. Azure Blob Storage support Azure AD based authentication/authorization and has support for Role-based Access Control (RBAC) available in Azure Subscription. You can assign granular RBAC roles to your users in Azure AD and they will be able to perform only the operations allowed by their roles. You can read more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad.
You can find more details about various authorization options available in Azure Storage here: https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage.
We are building an app that allows users to upload their own files (ex. images) in Azure Storage.
We are using Azure Storage and plan to use containers to separate the content of each user.
I am a bit lost in the part about security. What would be the best way to secure the container of each user? For example, would each container have a different key?
And if I want to display the image, do I point it directly to the azure storage URL or do I need to have a middle API service that gets it from Azure Storage then returns it?
You have a key per storage account, not per container. You basically have two options - each requires a middleware:
1: Upload the files through you middleware. The client will send the files to your middleware which knows the storage account credentials to store the file in the desired container.
2: Direct upload to Azure Storage. The second option is to directly upload the files to the storage account. Since you don't want to expose storage account credentials to your clients, you will need some kind of middleware that gives your app a temporary SAS Token that allows it to upload the requested file (known as Valet Key pattern). Further information: (File upload in Cloud Applications: The Options)
If you want to display the image, you can point it directly to the Azure Storage URL (if you want them to be public readable) or you can again return the URLs with temporary SAS Token for each authorized user....
In your case, the best way I think is to Authorize the storage with Azure AD, assign the RBAC role for the different users at the container level. Then they will just be able to access their own container, see this link.
To let the user upload files from an app via Azure AD Auth, you could refer to this doc - Authorize access to blobs and queues with Azure Active Directory from a client application.
To display the image, just click the ... of your image(blob) in the portal -> Generate SAS -> Generate blob SAS token and URL -> copy the Blob SAS URL, you could access it directly in the browser.
I have a frontend container, backend container and the azure blob storage. User using the front/backend are authenticated. Thus the backend validates the user credentials and users are allowed to access their media files stored in the azure blob storage.
I would like that users access their media files directly at the azure blob storage in order not to stress the backend to much by using it as a proxy. The media references for each user are stored in the backend.
How would you achieve this by using the azure blob storage and its access control (or is it a misuse of the azure blob storage)?
You can implement security by generating a SAS token for your blob container/individual blob
With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys
We have recruitment that need to store the file in Blob Storage. The blob storage account which i have created for a company. There are multiple site for a same company. We need to restrict the site member to see other site files. So I need the access key based on container level.
The container will be created dynamically from C#. The credential / access key that should be created while creating the container from C# and the container level access key / credential will be shared with site members not the storage account access key. Storage account key will be in application configure side. So storage account key will be hidden from the site members.
How do I get the container level access key / credential in Azure blob storage?
I think SAS could meet your requirements.With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. And you could set the interval over which the SAS is valid and the permissions granted by the SAS. For example, a SAS for a blob might grant read and write permissions to that blob, but not delete permissions.
You could create SAS pointing to one or more resources and including a token that contains a special set of query parameters.
Here are two examples about how to use SAS, first SAS examples and create SAS.
If you still have other questions, please me know.
I am using SSIS Azure Blob Upload task to upload the files from local directory to Azure Blob Storage container. In the AzureStorageConnection I had to provide the Account key explicitly which I feel not secure. Is there a way to establish the connection through KeyURI instead of Account key? I read some articles on Key-Vault implementation but to how to achieve it here.
If you want to protect the Azure account key, Please consider using Shared Access Signatures (SAS). Refer to this article for more information. Here is a snippet in the article:
Using a shared access signature (SAS) is a powerful way to grant limited access to objects in your storage account to other clients, without having to expose your account key.