We are building an app that allows users to upload their own files (ex. images) in Azure Storage.
We are using Azure Storage and plan to use containers to separate the content of each user.
I am a bit lost in the part about security. What would be the best way to secure the container of each user? For example, would each container have a different key?
And if I want to display the image, do I point it directly to the azure storage URL or do I need to have a middle API service that gets it from Azure Storage then returns it?
You have a key per storage account, not per container. You basically have two options - each requires a middleware:
1: Upload the files through you middleware. The client will send the files to your middleware which knows the storage account credentials to store the file in the desired container.
2: Direct upload to Azure Storage. The second option is to directly upload the files to the storage account. Since you don't want to expose storage account credentials to your clients, you will need some kind of middleware that gives your app a temporary SAS Token that allows it to upload the requested file (known as Valet Key pattern). Further information: (File upload in Cloud Applications: The Options)
If you want to display the image, you can point it directly to the Azure Storage URL (if you want them to be public readable) or you can again return the URLs with temporary SAS Token for each authorized user....
In your case, the best way I think is to Authorize the storage with Azure AD, assign the RBAC role for the different users at the container level. Then they will just be able to access their own container, see this link.
To let the user upload files from an app via Azure AD Auth, you could refer to this doc - Authorize access to blobs and queues with Azure Active Directory from a client application.
To display the image, just click the ... of your image(blob) in the portal -> Generate SAS -> Generate blob SAS token and URL -> copy the Blob SAS URL, you could access it directly in the browser.
Related
I want to authorize backend (Web API in Azure Active Directory) to distribute SAS for uploading into Blob Storage.
It would be perfect if SAS can be issued only for one blob upload. I assume that client will send a request with a file name to upload, then backend will return SAS that could be used only to upload one blob with previously set file name.
I found the Storage Blob Delegator role, but as far as I know roles can only be set to user account (person).
How in this case the backend should be authorized?
Shared key
Fake account
Long SAS
Or is there another way to solve this problem? I have checked a lot of articles in docs but all of them solves slightly different problems.
Is there a way to tell which user uploaded the file in an azure blob container? do you have to manually add it to the metadata?
The comment is basically correct, but the log is not in the Activity log , if you are using the storage account key to upload blob, you will not be able to know who uploaded the file. So in this way you could add it manually to the metadata as you mentioned.
If you upload blob via Azure AD auth e.g. use AAD auth flow to get the token, use the token to call REST API to upload blob(some other ways essentially use this), then you can use the Azure Storage analytics logging, follow this to configure it, select the Logging version with 2.0.
After configure, if you upload blob via AAD auth, you can find the log in the container named $log, in the log, there is a UserPrincipalName, it is the user.
I have a frontend container, backend container and the azure blob storage. User using the front/backend are authenticated. Thus the backend validates the user credentials and users are allowed to access their media files stored in the azure blob storage.
I would like that users access their media files directly at the azure blob storage in order not to stress the backend to much by using it as a proxy. The media references for each user are stored in the backend.
How would you achieve this by using the azure blob storage and its access control (or is it a misuse of the azure blob storage)?
You can implement security by generating a SAS token for your blob container/individual blob
With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys
I have created a blob storage at Azure and I want to share this container with my colleagues who may or may not have azure account and can upload files in this blob storage without providing access to resource groups or storage account. Is it possible with blob storage or there is any other alternative to do that where they can drop there files time to time and I can access them from my azure pipeline. I have tried Secured Acess Signature but it is not working may be I have less knowledge to do that. I have creatred SAS URL by clicking right click on container and shared the link with colleagues.
I want to upload some static images that I will later access via some mobile apps. I have an Azure Account that I rarely use so I thought that was the best place and therefore I uploaded them to a "File Share" within Azure Storage.
I naievely thought I could them just access those files via a simple web request url
https://myplace.file.core.windows.net/app/images/bnb/shop/bugle_200_2.jpg
All this gets me is a BadRequest error. I realize that I could create a Shared Access Signature (SAS) for every file but that seems total overkill.
Is there a better Azure feature to use? I do not want to have to use the Azure APIs to get at these files
Adding a few more points to #CtrlDot's excellent answer.
I completely agree that you should use Blob Storage for storing static content.
On the container permissions, I would actually recommend setting the permission (ACL) to Blob so that user can only view the blob they have the URL for and not enumerate all blobs in a container (setting container ACL to Container will enable the users to list blobs in a container which may not be a desired behaviour for you).
Other than these, there are two distinct advantage of using Blob Storage:
Custom domain: You can map blob storage to a custom domain (e.g. static content.mywebsite.com) and use that to serve the content instead of using Azure Blob Storage standard endpoint (your account.blob.core.windows.net).
CDN: You can also CDN enable your blob storage endpoint. The content will then be replicated across many CDN nodes spread throughout the globe and will be served from a node near to your user thus improving the user experience.
I think the service you should be looking to use is blob storage, not file storage. File storage, as per the documentation, is meant more for SMB shares.
When you setup Azure blob storage, you have a couple of different options. If there is nothing sensitive/secure about these static images, you could consider making a public container and simply accessing the files like that.
If you require authentication, then you need to either use azure storage access keys, or azure storage access tokens. Of the two, the storage access tokens are by far the most secure.
You wouldn't need to create a SAS token for each file, rather, grant it read permission to the container. Once again, you will have to tailor this to the security/sensitivity needs of your application.