Restrict permission when client create a sastoken for a blobstorage

Question

I have a blobstorage where I drop files for an external partner to list the files and read them. I thought that a SAS token would be a perfect way for the external partner to access the container and read the file(s).

So I created a SAS token and realized that if I don't want to create new sas tokens every 10 minutes and send them to the partner I need to set the expire date of the token far into the future, and that is not good if the sastoken is leaked or that the day the token expire the solution will stop working.

So to fix that I could let the client create a sastoken by giving them an accesskey and accountname by using the StorageSharedKeyCredential-class. That works great, maybe to great since it's now the client that decides what permission the sas token should have. So the client might now upload files / create containers etc etc.

So my question is: Is there any way to restrict what kind of permissions the sas token have when the client create the sastoken, so our external partner only can read/list files in a specific container that I have decided.

Best Regards Magnus

Answer 1

To give a specific container permission, you can do this followings:

Find your container, select Access Policy under the settings blade, and click Add Policy. Select the permissions which you want to give this specific container. Also, public access level is container level.You could refer the Thread which discussed on the similar related issue.

And also try how the RBAC works on Azure storage. Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

You can grant the right to create a user delegation key separately from right to the data.

https://learn.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key is performed at the account level, so you must give this permission with something like the Storage Blob Delegator built-in role at the scope of the storage account.

You can then grant just the data permissions the user should have, using one of these 3 built-in roles at the scope of the blob container:

Storage Blob Data Contributor

Storage Blob Data Owner

Storage Blob Data Reader

The User Delegation Token can then be generated to grant a subset of the users permissions for a limited time, and can be granted for an entire blob container OR for individual blobs. For more details you may check this thread.

And You have to use VNet rules in the storage firewall or trusted access to storage to restrict access for clients in the same region.

you may check with this links.

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas#permissions-for-a-blob

Answer 2

Regarding the issue, I think you want to know how to create service sas token. If so, please refer to the following code.

BlobContainerClient containerClient=new BlobContainerClient(new Uri("https://{account_name}.blob.core.windows.net/{container_name}),new StorageSharedKeyCredential());

BlobSasBuilder sasBuilder = new BlobSasBuilder()
            {
                BlobContainerName =containerClient.Name,
                Resource = "c"
            };

            
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
sasBuilder.SetPermissions(BlobContainerSasPermissions.Read);
sasBuilder.SetPermissions(BlobContainerSasPermissions.List); 
Uri sasUri = containerClient.GenerateSasUri(sasBuilder);