Shared Access Signatures for front end apps (not client) ?

Michal Garcarz · ‎Jan 21 2018

Hello Team,

Typical use case for SAS is to provide client direct access to our storage service - as explained here:

(https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1). Scenario 2.

What if i need to protect access to my storage against applications running on as frontend (Scenario 1). I might have many different developers / teams using the same storage account, i do not want to give all of them access to storage keys and full permissions to my storage.

How to achieve that ? Where can i define granular storage permissions for my server apps ?

Thanks,

Michal

Hannel Hazeley · ‎Jan 21 2018

SAS is not only used for 'client' direct access, applications can also use SAS. Currently SAS is the only granular storage permissions.

https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-an-Account-SAS

Michal Garcarz · ‎Jan 22 2018

Hi Hannel,

Thank you for the help. Do you suggest i should use "Account SAS" instead of "Service SAS" ?

I can not find any documentation nor examples. This is what i want to achieve:

- my applications has many users/clients, that part is not important

- application itself should authenticate (via AD or any other method)+authorize to storage account

- once authenticated application should request SAS from storage account and receive the right token

- use that token to get limited permission to different blobs/queues

- application itself will also authorize it's users providing different capabilities (but not direct access to storage account)

How to achieve that ?

What is the recommended design ?

I have multiple developers/applications - needs to be sure each app is having limited permissions to storage.

Examples greatly appreciated.

Thanks,

Michal

Michal Garcarz · ‎Jan 23 2018

Hello Michal,

I am not the expert on application development and don't think you can find examples because it sounds like you are creating a custom solution.

But to talk about Azure storage access, if you want an app to be able to generate SAS token (account or service level), the app needs to be given IAM role access to the Azure Storage.

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is

https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#management-plane-securi...

Hope this helps in your research.