We want to restrict file downloads from Azure CDN to instances of a given tool. These tools already have an ADFS client which is currently used to get a bearer token to authenticate the client with an API housed in DataPower. I want to create an Azure AD group, assign the clients client-ids/secrets within this group, and restrict READ access to CDN files to this group so that they can get a bearer token and access the resource.
Is there a pre-existing pattern to restrict Read access in this manner?
Your application can have authorization decision to provide read access to CDN resources.
Kindly go through the document to get detailed explanation.
Related
I have an Azure Storage Account with public access disabled. Inside the storage account are a few Blob Storage Containers. Each container has access managed with AzureAD with varying permissions for each user/group to different Blob Containers.
I want to be able to download items inside the Blob Storage using tools like wget or curl using HTTP Basic Auth or specifying user information in the request.
I'm aware that AzCopy can be used to download Blobs from the containers, but previously we have used http requests to download artifacts and would like to continue using that method.
This question from 2016 Makes it seem like that its possible to do this with Shared Access Signature, which makes me believe that its possible to use with User Delegation SAS, but I have not found a way to set this up, and it requires a lot of parameters, more than a username/password or token.
Does Azure Blob Storage have a way where a user can access blob storage without AzCopy or any other specialized tools and authenticate via a method that does not require additional resources?
No. You must make a separate request for a token to send to Blob.
When a security principal (a user, group, or application) attempts to
access a blob resource, the request must be authorized, unless it is a
blob available for anonymous access. With Azure AD, access to a
resource is a two-step process. First, the security principal's
identity is authenticated and an OAuth 2.0 token is returned. Next,
the token is passed as part of a request to the Blob service and used
by the service to authorize access to the specified resource.
The authentication step requires that an application request an OAuth
2.0 access token at runtime.
Overview of Azure AD for blobs
I have subscribed to Premium Verizon Plan of Azure CDN Service. With that I gained access to the Azure CDN Policy Rules Portal wherein I am able to manage all of the rules pertaining to the CDN Service I have subscribed to.
As part of the compliance program that I am working with as of the moment, I wanted to list all of the available Policies within my CDN Service using this endpoint:
https://cdn.windowsazure.com/api/v3/rules-engine/v1.0/policies?page_size=20&platform_id=http-large&policy_type=customer&sort=-created_at&state=locked
My currently problem is that I am unable to generate the access token needed to call the endpoint successfully. As of the moment here are the methods that I have currently used to generate access token for the endpoint:
Generate the Access Token using the Client Credentials from the Identity Dashboard:
I have successfully generated the Access Token from this step but I
am unable to see the necessary scope ("ec.rules") needed to call the
API Endpoint. Source
Document
Using the Token from the Azure CDN Policy Rules Portal:
I am unable to find the "Generate New Primary" button stated in the Source Document
To configure Token authentication & generate tokens on Azure CDN Premium from Verizon, you can follow the steps on this document:
https://learn.microsoft.com/en-us/azure/cdn/cdn-token-auth#setting-up-token-authentication
Is there a way to access azure storage via Rest Api, using only frontend javascript?
e.g:
User tries to load an image stored in azure storage .
Redirected to portal.azure.com for logging in.
Sent back to my webapp, with the cookies or whatever is needed to generate an authenticated url.
You can authenticate access to Azure blobs using Azure Active Directory.
Then you will be able to get an access token to access azure storage via Rest Api. Here is an example walks you through how to login a user and acquire a token to be used for Microsoft's Graph Api. You can change the Graph Api to storage api.
Updates:
The way to get access token. The scope can be https://storage.azure.com/.default
Access private blob with access token. You also need to add the x-ms-version header.
I'm developing a web application which users can upload their files and each user can set permissions for the uploaded file to access to other users.
I want to use Azure Blob Storage of Azure File Storage for the uploaded files to be saved.
I need to check and validate the uploaded files before saving them, though users should upload their files on web server and then the web server will validate the files and save them to Azure Storage using Access Key.
To get accessed the files using explained method in SAS - Shared Access Signatures, Part 1: Understanding the SAS model, I want to create account SAS and generate URL on the web server and then user can download their accessible files directly from the Azure Storage.
Here is the access model (just to read data):
And here is the sample SAS url:
https://myaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=2015-04-05&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D
But, what if user share the URL with anonymous users directly: they can access the file before expiration date, or maybe they can use the URL to access other files (or not?).
Can account SAS limit access to specific files or folders?
Can I expire the SAS server side?
What would be the best solution on this scenario?
Account SAS is for account level, Azure File Storage supports file share level SAS or file level SAS as well, please use them instead.
To revoke SAS in server side, you'll need to set up Shared Access Policy for them. By removing the corresponding Shared Access Policy, the related SAS can be revoked. However, server can only store 5 Shared Access Policies at most, which may not satisfy your requirement. What's more, Shared Access Policy doesn't support Account SAS currently. Anyway, technically there is still one way to revoke ad hoc SAS, but I don't think it's a valid option: to regenerate the corresponding storage account key on SAS Provider Service which was used to generate the ad hoc SAS.
In my opinion, SAS is not the good solution for your scenario, since SAS is designed for sharing links in plain text among anonymous users. In order to achieve your requirement, you need to set up your own authentication and authorization on your website. All the users must upload/download the files via your website, and Azure Storage is just the storage back end of your website, which shouldn't be exposed to users directly.
We can use SAS to set the file permission, use SAS policy to set the start data and expire date. However if you have very complex logic about the file. I would suggest you use role permission to do this.
We are using MS Azure and developing SAAS based Multi-Tenant Application.
For each Tenant we have BLOB Container Private and assigned to each Tenant.
Also there is a requirement that Client can share files with other client users.
Eg.
Client C1 has Container "C1" and it has files "C1f1", "C1f2" and "C1f3".
User U1 and U2. U1 has access permission for C1f1 and U2 has C1f2 access only.
How can we do this in MS Azure Permission or Security? This needs to be done RUNTtime?
Please suggest How can this be done - What is BEST way to do
I believe you have two options.
Either generate and use SAS tokens per client/user with the right permissions. With a SAS token you can provide access to a specific resource up to a specific point in time. The disadvantage is that SAS tokens cannot be revoked on a per token basis. You can only revoke all tokens by rolling the storage access key that was used to generate the SAS token. Another disadvantage is that you have to provide a SAS token per item you want to grant access to. (For more info see also https://azure.microsoft.com/nl-nl/documentation/articles/storage-dotnet-shared-access-signature-part-1/)
Create a Web Service that encapsulates the Azure storage and serves files to your customers. In this service implement authorization management yourself.