CODEWITHSUNDEEP
securityauthenticationauthorizationazure-functionsazure-table-storage
Magic Bullet Dave
Magic Bullet Dave

Reputation: 9076

Secure access to Azure Table Storage via Azure Function

I have data stored in Azure Table Storage and want to secure it such that only my API (a function app) can read and write data.

What is best practice and how can I do this? I thought setting --default-action on the network rules to Deny for the Storage, plus adding a --bypass Logging Metrics AzureServices would shut down access but enable my Azure services, but this did not work.

I then looked at creating a Managed Service Identity (MSI) for the function app and adding RBAC to the Storage Account, but this did not work either. It doesn't look like MSIs are supported for Table Storage Access Azure Table Storage with Azure MSI

Am I missing or misunderstanding something? How do I secure the data in the tables in the Storage account, and is this even possible?

Upvotes: 0

Views: 606

Answers (2)

user11647698
user11647698

Reputation: 13

For securing Azure Table Storage data you do below network configurations -

  1. Use selected network instead of public network. This configuration is available under "Firewalls and virtual networks" of storage account.
  2. Second step which you can do is to either move the data to Azure Key Vault or use an encryption key stored in Azure Key Vault to encrypt required fields of Azure Table Storage. This way you won't face Azure Key Vault's throttling limits - https://learn.microsoft.com/en-us/azure/key-vault/general/service-limits#secrets-managed-storage-account-keys-and-vault-transactions

Upvotes: 0

Joey Cai
Joey Cai

Reputation: 20127

As the link you provided, azure table storage does not support Azure MSI, and it only support Shared Key (storage account key) and Shared access signature (SAS).

enter image description here

You must use Shared Key authorization to authorize a request made against the Table service if your service is using the REST API to make the request.

To encode the signature string for a request against the Table service made using the REST API, use the following format:

StringToSign = VERB + "\n" +
               Content-MD5 + "\n" +
               Content-Type + "\n" +  
               Date + "\n" +  
               CanonicalizedResource;

You can use Shared Key Lite authorization to authorize a request made against any version of the Table service.

StringToSign = Date + "\n"
               CanonicalizedResource

For more details, you could refer to this article.

Upvotes: 0

Related Questions