Forum Discussion

Michal Garcarz's avatar
Michal Garcarz
Copper Contributor
Jan 21, 2018
Solved

Shared Access Signatures for front end apps (not client) ?

Hello Team,   Typical use case for SAS is to provide client direct access to our storage service - as explained here: (https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-share...
SAS
  • Hannel Hazeley's avatar
    Hannel Hazeley
    Jan 23, 2018

    Hello Michal,

     

    I am not the expert on application development and don't think you can find examples because it sounds like you are creating a custom solution.

     

    But to talk about Azure storage access, if you want an app to be able to generate SAS token (account or service level), the app needs to be given IAM role access to the Azure Storage.

     

    https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is

    https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#management-plane-security

     

    Hope this helps in your research.

     

     

     

     

     

     

Michal Garcarz's avatar
Michal Garcarz
Copper Contributor
Jan 22, 2018

Hi Hannel,

 

Thank you for the help. Do you suggest i should use "Account SAS" instead of "Service SAS" ?

I can not find any documentation nor examples. This is what i want to achieve:

- my applications has many users/clients, that part is not important

- application itself should authenticate (via AD or any other method)+authorize to storage account

- once authenticated application should request SAS from storage account and receive the right token

- use that token to get limited permission to different blobs/queues 

- application itself will also authorize it's users providing different capabilities (but not direct access to storage account)

 

How to achieve that ?

What is the recommended design ?

I have multiple developers/applications - needs to be sure each app is having limited permissions to storage.

Examples greatly appreciated.

 

Thanks,

Michal

Hannel Hazeley's avatar
Hannel Hazeley
Iron Contributor
Jan 23, 2018

Hello Michal,

 

I am not the expert on application development and don't think you can find examples because it sounds like you are creating a custom solution.

 

But to talk about Azure storage access, if you want an app to be able to generate SAS token (account or service level), the app needs to be given IAM role access to the Azure Storage.

 

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is

https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#management-plane-security

 

Hope this helps in your research.

 

 

 

 

 

 

Resources