Forum Discussion
How to serve multiple customers with one Storage?
Hi, I am new in Azure Storage, so please forgive me if my question is silly.
I created a demo for solution that involves blob storage and clients checking for app updates from that storage. It works well, but for demo I am working with enabled public read access. Now I am thinking how to make such solution more secured/restricted.
My aim was to have one central storage where I place application installers and clients across multiple customers would be checking the storage. If I disable public read access though, how can I make sure all clients that I want will still have access while nobody else would have it. We're talking clients in different domains/different Azure ADs.
Can someone point me to right direction please? Or is it not possible to implement in this way?
MichalKala1991 there are a couple of things you could do here:
1. Generate a SAS token from within the Storage Account or Container that will allow the application to retrieve the installation files; you can control the level of permissions however there is a built in expiry for the SAS token so you'd need to deploy a new version to clients with a new SAS token before the expiry date
[1] https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview2. You can store the account keys for your storage account in a Key Vault, and then programatically generate SAS tokens. This obfuscates the credentials and you can set the SAS token expiry to be a lot shorter if you generate at runtime, but does require connectivity to the key vault to accomplish:
[1] https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys
[2] https://docs.microsoft.com/en-us/azure/key-vault/secrets/storage-keys-sas-tokens-code
[3] https://docs.microsoft.com/en-us/azure/storage/common/storage-account-sas-create-dotnet?tabs=dotnet#use-an-account-sas-from-a-client
You'd then just need to append the URL to the installer blob with ?[SAS Token]
3 Replies
Hi MichalKala1991 , it would be good to understand more about how exactly you're expecting your clients to access the storage account before offering any suggestions on possible solutions.
Thanks,
Anthony
- I want to utilize the AppInstaller XML files. So place AppInstaller file and Appx/msix installation file to the blob and then distribute appinstaller file to clients. The distributed appinstaller file will be redirecting url to the blob storage.
https://docs.microsoft.com/en-us/uwp/schemas/appinstallerschema/element-appinstallerMichalKala1991 there are a couple of things you could do here:
1. Generate a SAS token from within the Storage Account or Container that will allow the application to retrieve the installation files; you can control the level of permissions however there is a built in expiry for the SAS token so you'd need to deploy a new version to clients with a new SAS token before the expiry date
[1] https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview2. You can store the account keys for your storage account in a Key Vault, and then programatically generate SAS tokens. This obfuscates the credentials and you can set the SAS token expiry to be a lot shorter if you generate at runtime, but does require connectivity to the key vault to accomplish:
[1] https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys
[2] https://docs.microsoft.com/en-us/azure/key-vault/secrets/storage-keys-sas-tokens-code
[3] https://docs.microsoft.com/en-us/azure/storage/common/storage-account-sas-create-dotnet?tabs=dotnet#use-an-account-sas-from-a-client
You'd then just need to append the URL to the installer blob with ?[SAS Token]
