cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Shared Access Signatures for front end apps (not client) ?

Michal Garcarz
Occasional Contributor

‎Jan 21 2018 01:02 AM

‎Jan 21 2018 01:02 AM

Shared Access Signatures for front end apps (not client) ?

Hello Team,

 

Typical use case for SAS is to provide client direct access to our storage service - as explained here:

(https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1). Scenario 2.

 

What if i need to protect access to my storage against applications running on as frontend (Scenario 1). I might have many different developers / teams using the same storage account, i do not want to give all of them access to storage keys and full permissions to my storage.

 

How to achieve that ? Where can i define granular storage permissions for my server apps ?

 

Thanks,

Michal

 

Labels:
954 Views
0 Likes
3 Replies
Reply
3 Replies
Hannel Hazeley

‎Jan 21 2018 08:10 PM

‎Jan 21 2018 08:10 PM

Re: Shared Access Signatures for front end apps (not client) ?

 

SAS is not only used for 'client' direct access, applications can also use SAS. Currently SAS is the only granular storage permissions.

 

https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-an-Account-SAS

 

 

0 Likes
Reply
Michal Garcarz

‎Jan 22 2018 12:14 AM

‎Jan 22 2018 12:14 AM

Re: Shared Access Signatures for front end apps (not client) ?

Hi Hannel,

 

Thank you for the help. Do you suggest i should use "Account SAS" instead of "Service SAS" ?

I can not find any documentation nor examples. This is what i want to achieve:

- my applications has many users/clients, that part is not important

- application itself should authenticate (via AD or any other method)+authorize to storage account

- once authenticated application should request SAS from storage account and receive the right token

- use that token to get limited permission to different blobs/queues 

- application itself will also authorize it's users providing different capabilities (but not direct access to storage account)

 

How to achieve that ?

What is the recommended design ?

I have multiple developers/applications - needs to be sure each app is having limited permissions to storage.

Examples greatly appreciated.

 

Thanks,

Michal

0 Likes
Reply
best response confirmed by Michal Garcarz (Occasional Contributor)
Hannel Hazeley

‎Jan 23 2018 11:13 AM

‎Jan 23 2018 11:13 AM

Solution

Re: Shared Access Signatures for front end apps (not client) ?

Hello Michal,

 

I am not the expert on application development and don't think you can find examples because it sounds like you are creating a custom solution.

 

But to talk about Azure storage access, if you want an app to be able to generate SAS token (account or service level), the app needs to be given IAM role access to the Azure Storage.

 

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is

https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#management-plane-securi...

 

Hope this helps in your research.

 

 

 

 

 

 

0 Likes
Reply