Forum Discussion

DANIEL2320's avatar
DANIEL2320
Copper Contributor
Apr 01, 2022

Verify if logged user has access to accesed azure resource throw link ?

I have a web platform that is sharing images and videos, stored on Azure blob. Users can access this resources through the SAS links that I provide to them. I want to be able once a user access a blob resource through a link in a browser to check on a database server if the accessed resource belongs to that user and only if it belongs to that user to deliver the blob. Currently the checking is beeing done using the information stored in the link, but the link can be copied and distributed, I would want to check if the current user that is logged in the application has access to the resource, this way if a user is not logged in the app or is logged but does not have access to the resource cannot access the blob even if it has the link. How can this be done in Azure ?

1 Reply

  • sanketghorpade's avatar
    sanketghorpade
    Copper Contributor
    Apr 06, 2022
    Hi Daniel2320,
    If the users are accessing a file from the blob storage then you can use the RBAC model or ACLs to grant them the right set of permission by which they will be able to access these files.

    But, I see that you are talking about them accessing the blobs using the website, which means your website HTML tags might be containing these URLs and you want to secure these URLs as per the user who is accessing it.

    There is no direct way of achieving this as the Blob URL can be secured by SAS token which you have tried already, but what you can do in this case as an alternate solution is that you can create these SAS token dynamically everytime and keep the expiry very short. This way, every time user access these blob files, the URL will be generated dynamically by your server side code and will be appended to the HTML tags.
    Now, even if the URL is shared with someone else, it would have been already expired as the expiry is set for short time.

    You can follow this URL to see how it can be implemented programmatically - https://docs.microsoft.com/en-us/azure/storage/blobs/storage-secure-access-application?tabs=azure-powershell

    If you think this helped, let me know or if you have any other thought process feel free to share.

    Thanks,
    Sanket Ghorpade