Azure Storage Blobs - Access Control

Controlling Access to Azure Storage Blobs

Securely managing access to your data is paramount when using Azure Blob Storage. Azure provides several robust mechanisms to control who can access your blobs and what operations they can perform.

Shared Access Signatures (SAS)

Shared Access Signatures (SAS) provide a secure way to grant limited access to blob containers or individual blobs. With a SAS, you can grant permissions for a specific period, to specific resources, and with specific permissions (e.g., read, write, delete).

Service SAS: Granted on a storage account object (blob, queue, table, or file).
Account SAS: Granted on a storage account and can grant access to multiple storage service types.

SAS tokens are typically appended to the blob's URI. Clients then use this URI to access the resource without needing Azure credentials.

https://.blob.core.windows.net//?sv=2020-08-04&ss=bfqt&srt=sco&sp=rwdlacupx&se=2023-10-27T10:00:00Z&st=2023-10-27T09:00:00Z&spr=https&sig=

Access Control Lists (ACLs)

For container-level access, you can use Access Control Lists (ACLs) to manage permissions for individual users or service principals. This is particularly useful in scenarios where you need fine-grained control over who can perform operations like listing, reading, writing, or deleting blobs within a container.

ACLs are managed using Azure role-based access control (RBAC) roles assigned to identities. Common roles include:

Storage Blob Data Reader: Allows read access to blob data.
Storage Blob Data Contributor: Allows read, write, and delete access to blob data.
Storage Blob Data Owner: Full access to blob data, including managing access control.

Public Access

In some cases, you might want to make blobs publicly accessible. Azure Storage supports anonymous public read access to containers and blobs. This is often used for serving static website content.

Caution: Enabling public access should be done with care, as it means anyone on the internet can access the data without authentication. Ensure sensitive data is not exposed.

You can configure public access at the container level:

No public access: Default and most secure setting.
Blob access: Allows anonymous read access to individual blobs within the container.
Container access: Allows anonymous read access to the container and its blobs.

Key Management

Access to your storage account is typically authenticated using account access keys. These keys provide full administrative access to your storage account. It is crucial to protect these keys.

Shared Key Authorization: Uses the account name and one of the account keys.
Azure AD Authorization: For enhanced security, consider using Azure Active Directory (Azure AD) for authentication, especially for applications and services.

Best Practice: Rotate your storage account access keys regularly and avoid embedding them directly in code. Use Azure Key Vault for secure storage and retrieval of secrets.

Azure RBAC and Managed Identities

For applications running on Azure services (like Virtual Machines, App Services, or Azure Functions), using Managed Identities is the recommended approach for authenticating to Azure Storage. A Managed Identity provides an identity for the application in Azure AD, and you can grant this identity permissions to your storage resources via RBAC.