Limiting account SAS permission to specific files in Azure Storage

0
votes

I'm developing a web application which users can upload their files and each user can set permissions for the uploaded file to access to other users.

I want to use Azure Blob Storage of Azure File Storage for the uploaded files to be saved.

I need to check and validate the uploaded files before saving them, though users should upload their files on web server and then the web server will validate the files and save them to Azure Storage using Access Key.

To get accessed the files using explained method in SAS - Shared Access Signatures, Part 1: Understanding the SAS model, I want to create account SAS and generate URL on the web server and then user can download their accessible files directly from the Azure Storage.

Here is the access model (just to read data): enter image description here

And here is the sample SAS url:

https://myaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=2015-04-05&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D

But, what if user share the URL with anonymous users directly: they can access the file before expiration date, or maybe they can use the URL to access other files (or not?).

  • Can account SAS limit access to specific files or folders?
  • Can I expire the SAS server side?
  • What would be the best solution on this scenario?
2
azureasp.net-web-apiazure-storage-blobsazure-sdk-.netazure-storage-files

2 Answers

4
votes
  1. Account SAS is for account level, Azure File Storage supports file share level SAS or file level SAS as well, please use them instead.
  2. To revoke SAS in server side, you'll need to set up Shared Access Policy for them. By removing the corresponding Shared Access Policy, the related SAS can be revoked. However, server can only store 5 Shared Access Policies at most, which may not satisfy your requirement. What's more, Shared Access Policy doesn't support Account SAS currently. Anyway, technically there is still one way to revoke ad hoc SAS, but I don't think it's a valid option: to regenerate the corresponding storage account key on SAS Provider Service which was used to generate the ad hoc SAS.
  3. In my opinion, SAS is not the good solution for your scenario, since SAS is designed for sharing links in plain text among anonymous users. In order to achieve your requirement, you need to set up your own authentication and authorization on your website. All the users must upload/download the files via your website, and Azure Storage is just the storage back end of your website, which shouldn't be exposed to users directly.
1
votes

We can use SAS to set the file permission, use SAS policy to set the start data and expire date. However if you have very complex logic about the file. I would suggest you use role permission to do this.