I need to write to an azure blob store using my app that is running on a customer's network. I would like to use a network username and password to secure the blob location. I have been reading MANY articles but I cannot see how to use a username and password to connect to the azure blob store.
It is a WPF app, so I do not want to store my key (or any secrets) in a config file or hard code it as it will be too easy to get with a decompiler. I would prefer to issue the user with a network username and password. That way I can change the password or disable the username when needed.
Can anyone point me in the right direction here please, I just keep looping back to the same documentation over and over
There are three ways to get connected to Azure Storage:
Using account name/key
Using Azure Active Directory (Azure AD) authentication
Using Shared Access Signature
1st option is automatically ruled out as you don't want to store the secrets in the application (wise decision BTW).
You can use Azure AD authentication to connect to Blob Storage. Your users would need to be present in Azure AD for this though. Whenever a user launches your application, you will redirect them to Azure AD for authentication and once they are authenticated, they will be able to use the application. You can read more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad
3rd option is to use Shared Access Signature (SAS) which basically is a URL that has a time-bound/permission driven access to your storage. The way this would work is that your application will authenticate the users by asking them to provide their network username/password. Once they are authenticated, they will get access to the application. In the application, you can make a call to an API that will return a SAS URL using which a user will be able to upload data into blob storage. You can read more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
Related
In order to connect to Azure Shared Storage(in particularly File Share) to perform tasks like copying/removing/modifying files from remote to azure storage, we need either SAS(Shared Access Signature) or Active Directory Settings Enabled (and then assign roles based on requirement).
I wanted to implement the access using SAS approach, I tried generating SAS from UI, tried generating SAS by making use of Access Keys(Present Inside Storage Account - Confidential and most important key for storage account) both worked. But UI approach isn't conducive in my case, and Access token can't be given to anyone apart from the administrator.
So is there a way to generate SAS using Azure AD credentials or some service where we can create an account and password/key and that account can be used to create SAS token via curl(REST call) and not generating SAS via access keys(admin key).
The tricky part is to let your users create a sas token for the file share without granting them permissions on the whole storage account.
You can use a middle tier application that creates the SAS token and allow the users to use that app. An azure function with an HTTP trigger can be used for example. You grant the azure function access to the storage account using a Managed Service Identity and secure the access to the Azure function either with Active Directory or a function key, that you distribute to your users.
You can try with this approach:
A SAS token for access to a container, directory, or blob may be secured by using either Azure AD credentials or an account key.
Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS for superior security.
Create a User delegation SAS
Generate a User Delegation Key:
POST https://myaccount.blob.core.windows.net/?restype=service&comp=userdelegationkey
We have an on-premises (self-hosted) app which supports sending email notifications to users by providing SMTP mail server settings. Our users are all in Azure AD and are the only users of this on-premises app. Our users want to be able to receive email notifications from this app.
What is the recommended/best practice method for achieving this? Ideally the solution wouldn't require any additional subscriptions or added cost. It would be nice if the sending email address could be branded to match the app service it is coming from.
Here are some options that I've come up with:
Create a new user in Azure AD solely for sending email
Seems wasteful, and we are billed monthly per user
Use an existing user (i.e. my own) to provide authorization to the SMTP server
Rather not tie my own user credentials to this, and will break if I ever change my password
Use an entirely different email account (e.g. gmail?) for sending email
No relation to Azure AD tenant at all, harder for others to manage
Some existing method/service in Azure that is meant for this purpose, if it exists
Here's my idea on your case.
I watched this document, and I found that we can use API Key to initialize 'new SendGridClient', and it mentioned that we can stored this key into azure key vault.
So if you just wanna use azure ad to achieve the goal of protect your local app from unauthorized user, you may try my idea. First, create azure key vault in azure portal, and you could create a new secret to store your SendGrid Api key. Next to create an azure ad application used to achieve authentication, such as 'ROPC' flow(use user account and password to get access token). Now we can set access policy in azure key vault, added the azure ad app and all your user accounts so that every one could access API key via that azure ad app. After that, your app could send email.
Is there a way to access azure storage via Rest Api, using only frontend javascript?
e.g:
User tries to load an image stored in azure storage .
Redirected to portal.azure.com for logging in.
Sent back to my webapp, with the cookies or whatever is needed to generate an authenticated url.
You can authenticate access to Azure blobs using Azure Active Directory.
Then you will be able to get an access token to access azure storage via Rest Api. Here is an example walks you through how to login a user and acquire a token to be used for Microsoft's Graph Api. You can change the Graph Api to storage api.
Updates:
The way to get access token. The scope can be https://storage.azure.com/.default
Access private blob with access token. You also need to add the x-ms-version header.
I would like to create an application where the users could access to all my data in Google Drive.
I have implemented a 2-legged OAuth to obtain all the data from Google Drive with my server app with no user authorization. The server can obtain all the data with the 2-legged OAuth.
The problem arrives when using, for example, the link of a drive document, the users connected to my app cannot access it due to they have no permissions.
I would like to know if it is mandatory give them permissions to access the files or maybe there is another service provided by google to have a comun storage for all the users without get the authorization or permissions for every single user.
I would like to know to if it is posible to use the Drive interface to show the users the documents.
There are actually three ways to access Google data.
Api key used to access public data.
Oauth2 used to access private data. Prompts for user to give permissions to access data and grants a refresh token.
Service accounts. Service accounts are preauthorized. there is no prompt to request a user permission to access the data.
I am not exactly sure what you mean by 2-legged Oauth. It sounds like you are talking about a service. You can grant the service account access to your personal drive account by sharing one or more folders with it. Note: I am not sure if you can share the root folder or not.
When you wish to allow one of your users to access a file you should have the service account add the user as reader of the file then they will have access. this can be done by inserting permissions.
Note. I am not a Node.js developer and I am not sure that service accounts are supported by Node.Js you may have to switch to a server sided language I don't know enough about it.
I do have a blog post that explains service accounts in more detail.
I'm developing a web application which users can upload their files and each user can set permissions for the uploaded file to access to other users.
I want to use Azure Blob Storage of Azure File Storage for the uploaded files to be saved.
I need to check and validate the uploaded files before saving them, though users should upload their files on web server and then the web server will validate the files and save them to Azure Storage using Access Key.
To get accessed the files using explained method in SAS - Shared Access Signatures, Part 1: Understanding the SAS model, I want to create account SAS and generate URL on the web server and then user can download their accessible files directly from the Azure Storage.
Here is the access model (just to read data):
And here is the sample SAS url:
https://myaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=2015-04-05&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D
But, what if user share the URL with anonymous users directly: they can access the file before expiration date, or maybe they can use the URL to access other files (or not?).
Can account SAS limit access to specific files or folders?
Can I expire the SAS server side?
What would be the best solution on this scenario?
Account SAS is for account level, Azure File Storage supports file share level SAS or file level SAS as well, please use them instead.
To revoke SAS in server side, you'll need to set up Shared Access Policy for them. By removing the corresponding Shared Access Policy, the related SAS can be revoked. However, server can only store 5 Shared Access Policies at most, which may not satisfy your requirement. What's more, Shared Access Policy doesn't support Account SAS currently. Anyway, technically there is still one way to revoke ad hoc SAS, but I don't think it's a valid option: to regenerate the corresponding storage account key on SAS Provider Service which was used to generate the ad hoc SAS.
In my opinion, SAS is not the good solution for your scenario, since SAS is designed for sharing links in plain text among anonymous users. In order to achieve your requirement, you need to set up your own authentication and authorization on your website. All the users must upload/download the files via your website, and Azure Storage is just the storage back end of your website, which shouldn't be exposed to users directly.
We can use SAS to set the file permission, use SAS policy to set the start data and expire date. However if you have very complex logic about the file. I would suggest you use role permission to do this.