Storage Account Access

This document outlines the various methods for accessing your Azure Storage accounts, including authentication, authorization, and best practices for secure access.

Authentication Methods

Azure Storage offers several authentication methods to secure access to your data:

• Shared Key Authentication: Uses account access keys. While simple, it grants full access to the storage account and should be used with caution.
  • Shared Key Lite: A more restricted version of Shared Key authentication.
• Shared Access Signature (SAS) Tokens: Provides delegated access to resources in your storage account. You can grant permissions for a limited time, to specific operations, and on specific resources. This is a highly recommended method for providing granular access.
  • Service SAS: Signed with the storage account key.
  • Account SAS: Signed with the storage account key, offering broader permissions.
  • User Delegation SAS: Signed with Azure AD credentials, offering the highest level of security and granularity.
• Azure Active Directory (Azure AD) Integration: For Blob Storage and Azure Files, you can authenticate using Azure AD identities (users, groups, service principals, managed identities). This is the preferred method for enterprise scenarios as it leverages existing identity management infrastructure.
• Anonymous Access: For Blob Storage, containers can be configured for public read access. This is suitable for publicly available data like website assets but should be avoided for sensitive information.

Authorization

Once a client is authenticated, Azure Storage determines if they have the necessary permissions to perform the requested operation. Authorization is typically managed through:

• Role-Based Access Control (RBAC): When using Azure AD authentication, RBAC roles define granular permissions to storage resources. Common roles include Storage Blob Data Reader, Storage Blob Data Contributor, and Storage Blob Data Owner.
• Access Control Lists (ACLs): For Azure Data Lake Storage Gen2, POSIX-like ACLs provide fine-grained access control for individual files and directories.
• SAS Token Permissions: The permissions defined within a SAS token itself grant authorization for specific operations.

Access Tiers

Azure Storage offers different access tiers to optimize costs based on data access frequency:

• Hot tier: For frequently accessed data.
• Cool tier: For infrequently accessed data stored for at least 30 days.
• Archive tier: For rarely accessed data stored for at least 180 days, with latency for retrieval.

Understanding access tiers is crucial for cost management, especially when accessing large amounts of data.

Access Control Examples

Using Shared Key (for development/testing)

When using Azure SDKs or REST API, you'll often need your storage account name and key. Never hardcode keys in production applications.

# Example using Azure CLI
az storage account show-connection-string --name <your-storage-account-name> --resource-group <your-resource-group> --keyPrimary
            

Using Shared Access Signatures (SAS)

Generate a SAS token with specific permissions and expiry. This is ideal for sharing access to specific resources without giving away account keys.

You can generate SAS tokens using the Azure portal, Azure CLI, Azure PowerShell, or the Storage Explorer.

# Example of a SAS token generated for a blob
?sv=2020-08-04&ss=bfqt&srt=sco&sp=r&se=2023-12-31T12:00:00Z&st=2023-01-01T11:00:00Z&spr=https&sig=ABCDEFG...
            

Using Azure AD

Grant appropriate RBAC roles to your Azure AD identity (user, service principal, or managed identity) on the storage account or a specific container.

When using SDKs, the library will often automatically pick up credentials from the environment (e.g., managed identity on an Azure VM or App Service).

Best Practices

• Prefer Azure AD Authentication: For production environments, Azure AD integration with RBAC provides the most secure and manageable access control.
• Use SAS Tokens for Delegated Access: Grant temporary, specific permissions to clients or applications without exposing account keys.
• Enforce Least Privilege: Grant only the necessary permissions for any given access method.
• Use Private Endpoints: Restrict network access to your storage account by using Azure Private Endpoints.
• Secure Your Account Keys: If you must use Shared Key authentication, store keys securely using Azure Key Vault and rotate them regularly. Avoid embedding keys directly in code.
• Monitor Access: Regularly review access logs and audit trails to detect any suspicious activity.
• Configure Firewall and Virtual Networks: Restrict access to your storage account based on IP addresses or virtual networks.