PHP Access to Private Azure Storage Container

Question

My PHP application, hosted in an Azure VM, needs to access images stored in a private Azure Storage Container.

Has anyone implemented a successful approach? I have 3 ideas (below).

Option 1 - using Azure Managed Identity

give the app a managed identity
give RBAC read permissions on the container
make a curl request in PHP to the VM instance metadata endpoint to get an access token
use this token in all requests for images (how would I persist the token in my app?)

Option 2 - using Azure BLOB Storage SDK for PHP

use Azure Blob Storage SDK to retrieve an image
this requires returning the storage key from my vault to the app

Option 3 - using Azure Shared Access Signature

generate a new SAS in PHP for each image
requires storage account key

Thanks!

Jim Xu Jim Xu · Accepted Answer · 2019-11-25T05:32:17

According to your need and description, I think using Azure Managed Identity to access Azure storage is better than other ways. Because, according to your description, if we use the second or third way, we need to get the storage key from Azure key vault. It also needs us to use the MSI to access it. Besides, regarding the third way, we need to consider the life cycle of sas token. So I suggest you use the MSI to access Azure storage.

Regarding how to use MSI to access Azure storage, please refer to the document.

Method: GET
URL: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://storage.azure.com/
Headers: Metadata : true

Test. For example, I call the rest api to get blob

Method: GET
URL: https://myaccount.blob.core.windows.net/mycontainer/myblob
Headers: 
         x-ms-version: 2019-02-02
         Authorization : Bearer <access_token>

PHP Access to Private Azure Storage Container

1 Answers