Azure Blob Storage file access

2
votes

Is there a configuration in Azure Blob storage that lets you link to a single file (or one that lets you link to a specific 'folder' in the Azure portal interface), but redirects the viewer into a login screen if they're not already signed in?

I am not terribly familiar with Azure Blob storage yet, but I see an option for 'anonymous' access, which isn't what I want (I want them to need to be logged in and have the proper permissions for that container), and I see an option for SAS (which isn't what I want, because it grants anyone who has the link access, and is time-boxed)

https://docs.microsoft.com/en-us/answers/questions/435869/require-login-when-accessing-blob-storage-url.html

This link appears to be asking the same question, and the response says something about 'role-based authentication' - I get the concept of adding roles to users, and using those as the authorization, but even as the owner of the blob container I can't seem to just link to myservice.blob.core.windows.net/container/myfile.jpg and download it without appending a SAS key.

Nor a way to link to myservice.blob.core.windows.net/container/myfolder and have it authenticate them then take them into that 'directory' in the UI.

1
azure-blob-storage
Is your storage account a regular storage account or a Data Lake Gen 2 account? You can find that by looking at "Hierarchical Namespace Enabled" property for that storage account. - Gaurav Mantri
Disabled (so I assume, 'regular'), but I just made the storage account, so if that's going to keep it from working I could just recreate it and enable that feature, unless it's a big cost difference. - ChristopherBass
Interesting question! I was about to say that it is not possible but then I read briefly about Azure role assignment conditions and it seems you should be able to accomplish this using role assignment conditions. Please give that a try. - Gaurav Mantri
Alas, I got pulled off of this onto another task, but I'll keep that in my pocket for now and update here if I get to revisit this! - ChristopherBass

1 Answers

0
votes

If the access level of the container is set to public anonymous, we can directly access the Blob Uri in the browser to access the blobs.

If the access level of the container is set to private, opening the Blob Uri in the browser doesn’t redirect the user to the login screen. Instead, it will give ResourceNotFound error.

Even the proper role is assigned in the Role Assignments for the blob storage, still we would not be able to access the Blob Uri from the browser without appending the SAS token. Because, opening the direct Blob Uri in the browser doesn't trigger the OAuth flow.

Even though, it is not possible to access the blob Uri from browser and download the files, there are other ways to accomplish this.

We can use Azure CLI, PowerShell and Rest API to access the blob data with the authenticated users.

If you want to access the blob data from the browser, we can use function app. We can enable the function app for authentication. Then the authenticated users can access the blob data via function app.

Reference : azure - Access a blob file via URI over a web browser using new AAD based access control - Stack Overflow