Microsoft Azure Storage

Understanding Access Control in Azure Storage

Azure Storage offers robust mechanisms to secure your data, ensuring that only authorized users and applications can access your blobs, files, queues, and tables. This document details the primary access control models available for Azure Storage.

Shared Access Signatures (SAS)

Shared Access Signatures provide a secure way to delegate access to resources in your storage account. A SAS token grants specific permissions for a limited period to a designated resource. This is ideal for scenarios where you need to provide limited access to clients without them needing full account credentials.

• Types of SAS:
  • Service SAS: Delegated access to service-level resources (blobs, queues, tables, filesystem).
  • Account SAS: Delegated access to resources across one or more storage services.
• Permissions: Read, Write, Delete, List, Add, Create, Update, Process.
• Validity: You can define an expiry time and date for SAS tokens.
• IP Restrictions: Optionally restrict access to specific IP addresses or ranges.

For more details on SAS, refer to the official documentation.

Azure Role-Based Access Control (RBAC)

Azure RBAC is the foundational access control system for Azure resources. It allows you to grant granular access to Azure Storage management operations and data operations by assigning roles to users, groups, service principals, or managed identities.

• Built-in Roles: Azure provides several pre-defined roles for storage management, such as "Storage Blob Data Owner," "Storage Blob Data Reader," and "Storage Account Contributor."
• Custom Roles: You can define your own custom roles if the built-in roles don't meet your specific needs.
• Scope: RBAC can be applied at various scopes: management group, subscription, resource group, or individual storage account.

Learn more about Azure RBAC for Storage in the documentation.

Access Keys

Storage account access keys provide full administrative access to your storage account. They grant unrestricted read and write access to all data in the account. Access keys should be treated as highly sensitive credentials and rotated regularly.

• Key Management: Access keys can be regenerated via the Azure portal or Azure CLI.
• Security: Avoid embedding access keys directly in application code. Use managed identities or SAS tokens for programmatic access where possible.

See managing storage account access keys.

Example: Granting Read Access to Blobs using RBAC

To grant a user read-only access to blob data in a specific storage account:

1. Navigate to the storage account in the Azure portal.
2. Select "Access control (IAM)" from the left-hand menu.
3. Click "+ Add" and then "Add role assignment."
4. Select the "Storage Blob Data Reader" role.
5. Choose the members (users, groups, service principals) you want to assign the role to.
6. Review and assign the role.

Example: Creating a SAS Token for a Blob

You can generate a SAS token for a specific blob using the Azure portal, Azure CLI, Azure PowerShell, or SDKs. For example, using Azure CLI:

az storage blob generate-sas \
  --account-name mystorageaccount \
  --container-name mycontainer \
  --name myblob.txt \
  --permissions r \
  --expiry 2024-12-31T23:59:59Z \
  --output tsv
        

The output will be the SAS token string, which you can then append to the blob's URL.

Key Concepts Summary

• Authentication vs. Authorization: Authentication verifies who you are; Authorization determines what you can do.
• Azure AD Integration: Leverage Azure AD for unified identity management and secure authentication with Azure Storage.
• Least Privilege Principle: Always grant the minimum permissions necessary for a user or application to perform its task.