I am working in an Azure Storage Static Website. This website is publicly available and is intended to perform operations against Azure Storage (manage multimedia - crud actions). I am afraid that since it is a client-side app, anybody can use the code to perform unintended operations against the storage account. Any thoughts how can i protect the app against this? Also i am looking for a solution to avoid hardcoded keys/SAS tokens to have permission for the operations against the storage account. I was thinking about using the managed service identity. Anyone had experience with it, since it is in preview mode?
You should definitely not put keys or SAS tokens client-side. As you say, anybody can obtain this and get access to the storage account. One solution is to use an HTTP-triggered serverless function to generate a SAS token as needed. Then you can issue a time-limited SAS to only the resources you want to be publicly accessible. The below tutorial shows how to do this.