Secure access to Azure Table Storage via Azure Function

Question

I have data stored in Azure Table Storage and want to secure it such that only my API (a function app) can read and write data.

What is best practice and how can I do this? I thought setting --default-action on the network rules to Deny for the Storage, plus adding a --bypass Logging Metrics AzureServices would shut down access but enable my Azure services, but this did not work.

I then looked at creating a Managed Service Identity (MSI) for the function app and adding RBAC to the Storage Account, but this did not work either. It doesn't look like MSIs are supported for Table Storage Access Azure Table Storage with Azure MSI

Am I missing or misunderstanding something? How do I secure the data in the tables in the Storage account, and is this even possible?

Joey Cai Joey Cai · Accepted Answer · 2020-06-22T02:01:19

As the link you provided, azure table storage does not support Azure MSI, and it only support Shared Key (storage account key) and Shared access signature (SAS).

You must use Shared Key authorization to authorize a request made against the Table service if your service is using the REST API to make the request.

To encode the signature string for a request against the Table service made using the REST API, use the following format:

StringToSign = VERB + "\n" +
               Content-MD5 + "\n" +
               Content-Type + "\n" +  
               Date + "\n" +  
               CanonicalizedResource;

You can use Shared Key Lite authorization to authorize a request made against any version of the Table service.

StringToSign = Date + "\n"
               CanonicalizedResource

For more details, you could refer to this article.

Secure access to Azure Table Storage via Azure Function

2 Answers