Location of the Blob Store using SAS - azure

I am looking for a REST API using which my application can determine the location of the Blob Storage account. The application has an access to a specific blob using the Shared Access Signature.

If you just have a blob's SAS URL, then you will not be able to find the location of the storage account.
In order to get the location of a storage account, you would need to use is Storage Resource Provider API especially Storage Accounts - Get Properties operation there. When you perform this operation, the location of the storage account is available in primaryLocation attribute in response. In order to perform this operation, you would need access to underlying Azure Subscription.
Using Storage REST API it is not possible to find this information currently. This API enables you to manage the data in a storage account.

Related

Azure Face API - How to see stored face images/templates?

I am consuming the Azure Face API (Detection and Find Similars), but I do not see any documentation that explains how to access the stored data in the Azure's platform (in the UI of the Azure's website).
According to this, only facial templates are stored. But, how can I see them? Are these resources accessible for devs? Any other data stored?
By default, we can access the data with blob storage as the default storage in azure portal. By default, blob storage cannot be accessed in the public manner. It will be private, and we need to have it accessed publicly. Using the shared access signature (SAS) we can provide secured access to the resources in storage account.
Use the below procedure to get the SAS token and access them in API calls.

Secure access to Microsoft Azure Blob Storage

I have a frontend container, backend container and the azure blob storage. User using the front/backend are authenticated. Thus the backend validates the user credentials and users are allowed to access their media files stored in the azure blob storage.
I would like that users access their media files directly at the azure blob storage in order not to stress the backend to much by using it as a proxy. The media references for each user are stored in the backend.
How would you achieve this by using the azure blob storage and its access control (or is it a misuse of the azure blob storage)?
You can implement security by generating a SAS token for your blob container/individual blob
With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys

Azure Container Level Access

We have recruitment that need to store the file in Blob Storage. The blob storage account which i have created for a company. There are multiple site for a same company. We need to restrict the site member to see other site files. So I need the access key based on container level.
The container will be created dynamically from C#. The credential / access key that should be created while creating the container from C# and the container level access key / credential will be shared with site members not the storage account access key. Storage account key will be in application configure side. So storage account key will be hidden from the site members.
How do I get the container level access key / credential in Azure blob storage?
I think SAS could meet your requirements.With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. And you could set the interval over which the SAS is valid and the permissions granted by the SAS. For example, a SAS for a blob might grant read and write permissions to that blob, but not delete permissions.
You could create SAS pointing to one or more resources and including a token that contains a special set of query parameters.
Here are two examples about how to use SAS, first SAS examples and create SAS.
If you still have other questions, please me know.

Getting Storage Account Properties using Storage Services REST API

Is there a way to get properties of a storage account, specifically the kind of account - GPv1, GPv2 or blob storage, through an API in Storage Services?
I came across https://msdn.microsoft.com/en-us/library/azure/ee460802.aspx but if possible, I would like to re-use the SharedKey authentication I use for the Blob Service APIs.
In this page, https://learn.microsoft.com/en-us/rest/api/storageservices/ I found this:
"All access to storage services takes place through the storage account. The storage account is the highest level of the namespace for accessing each of the fundamental services. It is also the basis for authentication.+
The REST APIs for storage services expose the storage account as a resource."
How would I get properties of that resource? I played around with setting the restype to storage account, similar to "container" and "table", but could not access it.
When it comes to managing storage accounts, there are two REST APIs:
Storage Service REST API: This API is used to manage the data in the storage accounts. This makes use of account name and access key (also known as storage account key). You can find more details about this API here: https://learn.microsoft.com/en-us/rest/api/storageservices/.
Storage Resource Provider (SRP) REST API: This API is used to manage storage accounts. You can use this API to create, update, delete storage accounts, regenerate account keys and get information about the storage account themselves. This makes use of Azure AD for authentication and authorization. You can find more details about this API here: https://learn.microsoft.com/en-us/rest/api/storagerp/.
Now coming to your question, you can't really use Storage Service REST API to find information about the type of storage account. You would need to use Storage Resource Provider API to find this information. In particular you will be consuming Get Properties SRP API to find this information.

Restrict from downloading file on Azure Blob [duplicate]

I have a resource group in Azure which contains cloud service and a storage account. I want to give access to the resource group to my developers so that they can access the resources and make changes. However, there is one particular table in the storage account which contains sensitive user details. The table is being updated through our client app using SAS tokens.
I want only few selected people from my team to be able to see the complete contents of the table. Is there any way in azure to do this?
Azure Storage access is gated by its account name+key. Anyone with access to that key has access to any object(s) within a storage account, whether, blob, queue, or (in your case) table.
If developers have access to the resource group, and the resource group contains the storage account, then those developers have full access to the storage account contents.
If you wanted to prevent your developers from accessing storage, this storage account would need to reside within another resource group (which the developer does not have access to). And then you would have the choice to provide the developer(s) with the storage account+key, or with a SAS to a particular table.
However: If a developer has been granted co-admin permissions to the Azure subscription itself, then they have access to 100% of resources within the subscription, regardless of resource group or SAS.

Resources