Search code examples
azureazure-active-directoryidentityrbac

How do I authorise multiple client applications to access my Azure storage resources?

I am building a Node JS application that runs on different clients' on-premises hardware. I want that application to log data to my Azure storage tables. (In the future, the application may need to use other Azure services.) How should I authorise the various instances of my application to access my tables?

I'd like to have each different client restricted to different tables, and with only add and read access - no update or delete.

I'd like to be able to revoke a single client's access instantly, if required, without affecting other clients.

I considered 3 options:

  • I considered making a separate storage account for each client, and giving the client an access key for that account. But this would give full access (including update and delete).

  • I considered creating a Stored Access Policy (SAP) for each client, and then create a Shared Access Signature (SAS) on the policy. The client could connect with the Shared Access Signature (as described here). The main disadvantage I see with this is that if I want the client's application to have access to several tables, I would need a separate SAP and SAS for each table. I this adds management overhead.

  • Since an app is another form of identity, I considered registering an app to create an identity for each instance of my software. But I wasn't sure how to (a) get the application to pass credentials to azure storage or (b) grant authority to the app to read/add to the table.

In AWS, I have solved this problem by creating IAM Users. The keys are made accessible to the Node JS code through environment variables.

But in Azure, my organisation has an Active Directory, and I am not an administrator for that directory. I don't see how to create Azure Users for the purpose of accessing my tables without being an administrator.

Does anyone have any thoughts or advice?

Solution

  • As you mentioned that there is no SAS token for each table. In your case, I recommand that you could give separate storage account for each client with SAS token not full access.

    Authenticate access to Azure table is not supported currently. Azure AD integration is available for the Blob and Queue services only in the preview.

    For more information about Authenticating access to Azure blobs and queues using Azure Active Directory (Preview), please refer to the Azure official document.