With Azure blob storage, is a general level of privacy achievable with anonymous access?

2
votes

According to the docs, Azure containers can be set as follows:

  • Full public read access: Container and blob data can be read via anonymous request. Clients can enumerate blobs within the container via anonymous request, but cannot enumerate containers within the storage account.
  • Public read access for blobs only: Blob data within this container can be read via anonymous request, but container data is not available. Clients cannot enumerate blobs within the container via anonymous request.
  • No public read access: Container and blob data can be read by the account owner only.

Resource: anonymous read access

I'm mainly interested in the second one. If a filename/blob is named via a dynamically generated GUID (e.g. 07as51b9-a246-421x-f3sb-a7fdeasdf5cf.png), is there any conceivable way to programmatically figure this out?

I want to be able to share just a link to certain individuals without shared keys or any other authentication other than anonymous, but curious as to cookies, tracking, or other factors that may somehow, someway, land the link to the blob in the open world. Obviously if the link is shared then that's a risk.

Perhaps this is better suited for security.stackoverflow.com but Azure points people directly here for questions (unless you have a paid plan).

2
azureazure-storageazure-storage-blobs
I'm having the same question; Public blob is simpler for development, but is it secure enough with a GUID blob name ?Guillaume Morin
@GuillaumeMorin You can't programmatically iterate over the list of blobs, which is good. The only risk is if the link is shared, or if some widget or app/javascript or who knows what, is tracking links and it somehow gets loose. Whether it's secure or not depends on the level of security your application needs. Technically, it's not fully secure. I'm thinking it may be better to post a parallel question to security.stackexchange.com because it comes down to ways that link can be exposed to the public.user1447679
@GuillaumeMorin You may want to look at the SAS model that Peter_Pan was referring to in the answer below.user1447679

2 Answers

1
votes

You can easily list the blobs under your public container by entering the URL in your browser:

https://{your account name}.blob.core.windows.net/{your container name}?restype=container&comp=list

It's actually calling Azure Blob Storage REST API with anonymous access, for the details of this API, please refer to: https://msdn.microsoft.com/en-us/library/azure/dd135734.aspx

0
votes

@user1447679, As @ZhaoxingLu-Microsoft said, you can get the blob list or the blob under the public container via the url.

However, if you want to share a link of any container or blob with anonymous, you need to add a sas token as query parameter for the url. I know you doubt the security & risk of the link, but the expiry time of sas token make sure the link security and reduce the risk. Please see the part 1 & 2 of the series "Shared Access Signatures" to dive into SAS model with storage.