Azure Blob SAS with IP Range Restriction

1
votes

I'm trying to create SAS URIs / Tokens to allow download of my Azure Storage Blobs.

I'd like to do this on a blob-level, in order to not inadvertently give access to an unintended resource.

The current code I use to do this is:

public static string GetBlobSasUri(string containerName, string reference)
{
    // Create the CloudBlobContainer object
    CloudBlobContainer container = blobClient.GetContainerReference(containerName);
    container.CreateIfNotExists();

    // Get a reference to a blob within the container.
    CloudBlockBlob blob = container.GetBlockBlobReference(reference);

    // Set the expiry time and permissions for the blob.
    // In this case, the start time is specified as a few minutes in the past, to mitigate clock skew.
    // The shared access signature will be valid immediately.
    SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
    sasConstraints.SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5);
    sasConstraints.SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMonths(1);
    sasConstraints.Permissions = SharedAccessBlobPermissions.Read;

    // Generate the shared access signature on the blob, setting the constraints directly on the signature.
    string sasBlobToken = blob.GetSharedAccessSignature(sasConstraints);

    // Return the URI string for the container, including the SAS token.
    return blob.Uri + sasBlobToken;
}

This is largely based on the example in Documentation here:

Generate a shared access signature URI for a blob

This works. However, I see in other SAS documentation that it is possible to restrict to a certain IP range as well:

Service SAS Uri Example

My understanding of SAS tokens is that the signature signs all parameters, so I don't think this is as easy as just appending my IP range to the SAS URI returned from the code I pasted above, since the signature would then not match.

However, the SharedAccessBlobPolicy only has three fields, which are the start/end times of the access, as well as the permissions. I don't see anything about IP ranges.

Is it possible to set these permitted ranges when generating SAS URIs at the blob level, not for a full account?

1
azureazure-storageazure-storage-blobs

1 Answers

1
votes

Please use the code below:

        public static string GetBlobSasUri(string ipAddressFrom, string ipAddressTo)
        {
            CloudStorageAccount storageAccount = new CloudStorageAccount(new StorageCredentials("account_name", "account_key"), true);
            CloudBlobClient cloudBlobClient = storageAccount.CreateCloudBlobClient();
            var cloudBlobContainer = cloudBlobClient.GetContainerReference("test-1");

            cloudBlobContainer.CreateIfNotExists();

            CloudBlockBlob blob = cloudBlobContainer.GetBlockBlobReference("a.txt");

            var ipAddressRange = new IPAddressOrRange(ipAddressFrom, ipAddressTo);

            var sasBlobToken = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy()
            {
                Permissions = SharedAccessBlobPermissions.List,
                SharedAccessExpiryTime = new DateTimeOffset(DateTime.UtcNow.AddHours(1))
            }, null, null,null, ipAddressRange);


            return blob.Uri + sasBlobToken;
        }