Search code examples
azureazure-blob-storagerbacabacazure-security

Provide access to azure blob by checking the logged user rights?


I have an ASP.NET Core app that is hosting videos and images as blobs in Azure. Right now I'm providing blob access to users by using SAS tokens with an expire time embedded in a link. The issue is that the link can be distributed to other users that should not have access to that blob until the SAS token time expires and the link is refreshed. I would like to somehow be able to check if the user that is accessing the link is logged in the application and then to check if it has access to that particular blob. Only if the user is logged and it has access to the blob, the blob should be delivered. My question is similar to this one: link. I have also read something about Azure ABAC but its seems that is a feature in preview and I don't know if it could help me.


Solution

  • According to microsoft docs

    A request to Azure Storage can be authorized using either your Azure AD account or the storage account access key. but key advantage of using Azure Active Directory (Azure AD) with Azure Blob storage or Queue storage is that your credentials no longer need to be stored in your code.

    Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform. Azure AD authenticates the security principal (a user, group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Blob storage or Queue storage.

    STEPS :

    1. Register Azure AD application

    enter image description here

    1. Configure Azure Application permissions on the API permissions page, select Add a permission. Under the Microsoft APIs tab, select Azure Storage and you can see user_impersonation under delegated permissions.

    enter image description here

    Next, grant admin consent for these permissions

    enter image description here

    1. Configure RABC role for the user: Assign an Azure role for access to blob data - Azure Storage | Microsoft Docs : To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments:
    • A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor
    • The Azure Resource Manager Reader role, at a minimum To learn how to assign these roles to a user, please follow the instructions provided in Assign Azure roles using the Azure portal.
    1. Then get a token when user logs in , from which you can call api to access azure storage blob. https://<account>.blob.core.windows.net is the service endpoint for a given storage account. Use this value to acquire a token for authorizing requests to Azure blob Storage. Replace the value in brackets with the name of your storage account.

    This way access to azure blobs can be made secure by allowing access to only logged in users and who has a specific role to access.

    You may also check this blog on how to Secure Azure Blob Storage with Azure API Management & Managed Identities | by Marcus Tee if needed.

    References:

    1. Only allow authorized users to access blob urls in an azure storage container - Stack Overflow
    2. Authorize access to blob or queue data from a native or web application - Azure Storage | Microsoft Docs
    3. Choose how to authorize access to blob data in the Azure portal - Azure Storage | Microsoft Docs