Hello Everyone, securing access to Azure Storage accounts could be complex and could have security implications as well. I was working on providing access to Azure Storage account in my environments and got excited with the options that Azure provides to grant access & ways to secure access as well.
Background first:
Azure Storage account has multiple offerings –
- Blobs – Scalable Object storage typically for text & binary data
- Tables – SQL like structured data storage database
- Files – Managed File shares providing SMB interfaces to data
- Queues – Reliable message store for messages transfer between applications
Most commonly used feature of Azure Storage account undoubtedly is Blob Storage. Let us now look at securing access to Azure Blob storage. Scenario is that you need to provide access to Blobs to an application, users in Finance & HR, which have different permissions & access expiry dates.
Azure Storage account access types are –
- Access Keys – Access entire Storage account with two independent keys. These keys don’t expire but they are easy to change manually.
- Shared Access Signature – Access entire Storage account with access expiry leveraging one of Access Keys.
- Shared Access Signature with Access Policy – At Blob containers level. More secure since each SAS gets generated with access policy (explained below), and access is granted or revoked without disturbing other access granted.
Access Storage Account with access keys:
When we create storage account with access keys, it also auto-creates 2 access keys which is used to access entire Storage account (Blob, File, Queues, Tables), and is considered insecure since these keys don’t have expiry date, and is compromise then it would be impacting all applications & users accessing it.
Now, to access this storage account, I have download Azure Storage Explorer from Microsoft site, and I will be accessing the Storage account with access keys. See below. I have not shown next screens but they are self-explanatory. You would enter the key that got from the Storage Account Access Keys screen (shown above) and access the storage account.
Access the Storage Account with Shared Access Signature :
Login to Azure Portal, go to Storage account & select Shared Access Signature. Make your choices in terms of what service you want to access like Blob / Tables, duration of access etc. and click on Generate SAS & Connection String as shown below –
Now, go back to Storage Explorer and connect to Storage account using option Use Shared Access Signature (SAS) URI. Problem with this approach is that this SAS is common for all users and application and any compromise to the SAS keys itself will be challenging to revoke.
Access Storage Account using Access Policy:
Finally, we have answer to the requirement where Access Policy will come into play. Access Policies will grant permissions at container level with desired access expiry date.
In Azure Portal, go to Storage Account, then to containers, select Access Policy under Settings and Add a policy.
I have created a policy for “Developer-Access” with Read, List & Add permissions valid for a month.
We now need to attach Access Policy with Container. To do that, Storage Account in Azure Portal and click on “Storage Explorer (Preview)“, right-click the container where you want to assign permission, and select Get Shared Access Signature, to create SAS token. See below.
Let us now access the containers with Access Policy provided SAS on the desktop version of Storage Explorer. We now connect with SAS URI.
You would notice that with Access Policy based SAS token, I could only access application-data blob container and not anything else. You could create multiple Access Policy for each user / application type and provide access. For any data security or compromise, you only need to revoke the Access policy and its associated SAS signature also gets revoked.
HTTP