Static website in Azure Blob Storage: How to enable Azure AD Authentication?

8
votes

I am hosting a static website through the $web container in the BLOB storage of an azure storage account. The minified JS in that container contains sensitive data, for example an azure-tables key.

According to the documentation:

You can modify the public access level of the $web container, but this has no impact on the primary static website endpoint because these files are served through anonymous access requests. That means public (read-only) access to all files.

Is there any way to limit access to the website's content (especially the minified JS sitting in the $web container)?

1
azureazure-active-directoryazure-storageazure-storage-blobs
If you want to limit access to blob content, please keep your blobs in the static website as Private access and generate SAS token(docs.microsoft.com/en-us/azure/storage/common/…) for the blob you want to share.user10182254
Does this limit access to the primary static website endpoint, too?RubbelDieKatz
The endpoint like "contosoblobaccount.z22.web.core.windows.net/index.html" will be public but the endpoint "contosoblobaccount.blob.core.windows.net/$web/index.html" will be privateuser10182254
Very interesting. Will try this out in the next few days.RubbelDieKatz
The minified JS in that container contains sensitive data, for example an azure-tables key. - It's really a VERY BAD IDEA to keep the keys (assuming you're talking about storage keys) in a JS file.Gaurav Mantri

1 Answers

1
votes

First of all, it is very bad practice to store data access tokens in the website's code, no matter how minified the JS is. The access tokens could be leaked by anyone who has read access to the website, intentionally or unintentionally. That includes being able to open and view the site in their browser.

If you're already thinking about authentication, an Azure Blob Storage service isn't going to cut it. You're probably going to need a free Azure Web App or two (One for the frontend, one for the backend). Server-Side code is much safer than browser code and enables features like proper user input validation. Additionally, enabling Azure AD Authentication is just a click away if you're using Azure Web Apps.

It is possible to generate SAS tokens that require the user to authenticate via Azure AD before accessing the Blob, but I personally haven't tried that yet.