Azure Blob File is accesible without authentication

1
votes

I am using Azure Blob Storage in order to store files (mostly images) for my . NET application. In one part of the application, the user can attach an image to a report and save it. That will save the file and it will be under a url of the following form :

"https://{storageAccountName}.blob.core.windows.net/.../{exportPath}";

Afterwards, if the resulting url would be shared by the user, it could be used by anyone (without any authorization taking place) in order to download that image.

I would want to ensure that the files are accessible only within authorized users.

What should I do for such direct access links to externally stored resources where I can't calculate access authorization, so that my files won't be available to anyone with the azure blob link ?

I was reading up on documentation provided by Microsoft regarding Azure Blobs, mostly SAS ( so that I can make my files accessible only to authorized users) https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create?tabs=dotnet https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet, but I haven't figured out yet if that's the way . ( also quick expiration token)

1
c#.netasp.net-mvcazureazure-blob-storage
Not sure I understand what your question is. Can you please edit your question and elaborate more?Gaurav Mantri
@GauravMantri I've edited. Short explanation : I'm uploading files to azure blob storage. If you have the link to the file, you can access it without authorization. I don't want that to happen( I want it to be accessible for authorized users) and I'm looking for a solution ( SAS/ quick expiry token)Daniel
As an addition: blob containers are private by default, which means any files in it are private, too. If your files are accessible, this means you explicitly set the container to be publicly available. You might be looking for creating a private container and storing files there using either a Managed Identity, the correct connection string or a SAS. (be advised, there are some interesting search terms in there 😉)rickvdbosch

1 Answers

1
votes

Thank You rickvdbosch for providing your suggestion in comment and I am converting as an answer to help other community member.

Make container as private and storing files there using either a Managed Identity or Access Token and SAS.

There are many ways you can protect your blob storage accessible from public.

  1. You can use role-based access control to limit which users are allowed to use the account, and what actions they can perform.
  2. Unlike a shared access signature (SAS), AAD authentication doesn’t have a hard expiry date. As long as an AAD identity (user, service principal, etc) has the correct permissions, it can always connect to the storage account. Similarly, you can easily revoke access by removing the necessary permissions from the identity.

Reference: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory

Another way is SAS’s are basically a URI with query parameters that specify options such as the expiration time, permissions, and a signed signature. Using SAS Can control access to containers and blobs.

Reference : https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview