Forum Discussion
Shared Access Signatures for front end apps (not client) ?
Hello Team,
Typical use case for SAS is to provide client direct access to our storage service - as explained here:
(https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1). Scenario 2.
What if i need to protect access to my storage against applications running on as frontend (Scenario 1). I might have many different developers / teams using the same storage account, i do not want to give all of them access to storage keys and full permissions to my storage.
How to achieve that ? Where can i define granular storage permissions for my server apps ?
Thanks,
Michal
Hello Michal,
I am not the expert on application development and don't think you can find examples because it sounds like you are creating a custom solution.
But to talk about Azure storage access, if you want an app to be able to generate SAS token (account or service level), the app needs to be given IAM role access to the Azure Storage.
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
Hope this helps in your research.
SAS is not only used for 'client' direct access, applications can also use SAS. Currently SAS is the only granular storage permissions.
https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-an-Account-SAS
Hi Hannel,
Thank you for the help. Do you suggest i should use "Account SAS" instead of "Service SAS" ?
I can not find any documentation nor examples. This is what i want to achieve:
- my applications has many users/clients, that part is not important
- application itself should authenticate (via AD or any other method)+authorize to storage account
- once authenticated application should request SAS from storage account and receive the right token
- use that token to get limited permission to different blobs/queues
- application itself will also authorize it's users providing different capabilities (but not direct access to storage account)
How to achieve that ?
What is the recommended design ?
I have multiple developers/applications - needs to be sure each app is having limited permissions to storage.
Examples greatly appreciated.
Thanks,
Michal
Hello Michal,
I am not the expert on application development and don't think you can find examples because it sounds like you are creating a custom solution.
But to talk about Azure storage access, if you want an app to be able to generate SAS token (account or service level), the app needs to be given IAM role access to the Azure Storage.
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
Hope this helps in your research.
