Uploading file to Azure BLOB using IoT Hub - Permissions

1
votes

I'm uploading files from a Raspberry Pi to Azure Blob storage using an Azure IoT hub, using this microsoft tutorial as the basis for my C# code, and it's working fine.

Looking at the Microsoft documentation for the method UploadToBlobAsync(), "If the blob already exists, it will be overwritten."

I'm wondering if there's any way to restrict the device's permissions to create-only in the Azure portal or via PowerShell. My concern is that should someone access the device's storage and get the device id and key they would have the means to delete or overwrite files previously uploaded by that device in the storage container.

As a work-around I could have a server-side process pick up files once they've been received and move them elsewhere, but if the device id/key was restricted to create-only then I wouldn't need this overhead.

1
azureazure-iot-hub

1 Answers

1
votes

The method UploadToBlobAsync (assembly Microsoft.Azure.Devices.Client.UWP) is a wrapper of the REST API sequence calls for uploading a blob to the Azure Storage container. The following sequence is processed:

  1. REST API call to the Azure IoT Hub to obtain a reference for uploading blob, see the following screen snippet:

ReferenceUploadFile

As you can see in the above picture, the sasToken for this operation has been generated for read/write.

  1. Once the device received the above response, the REST API PUT the blob can be called. Here is my suggestion. The device can call REST API Get the metadata of the blob, see the following screen snippet:

UploadFile-GET

Based on the above result, this sequence can be either skipped or continue for actually uploading blob using the REST API PUT.

  1. This is a last step of the sequence (very important). The device need to send a notification to the Azure IoT Hub with the status of the uploading sequence. The following screen snippet shows this REST API call:

NotifyUploadFile

Well, as you can see the above step #2 can decide about the skipping or overwriting the upload blob process.