I'm building a video sharing application for recording and sharing gaming clips. I've recently added cloud storage as a feature where I am using the Azure SDK for Node to interact with a storage account where videos and metadata are uploaded. It all works nicely so far. My goal is to sell the cloud hosting feature for a small monthly subscription.
The electron client takes a storage account name and access key. It has free reign over the storage account and can upload as much as it likes with no limit. That scares me as I don't want to get hit with a big Azure bill.
I assumed there would be controls in Azure to create less privileges storage accounts and/or containers with size limits imposed. However, none of that seems to exist.
So my question; how can I safely distribute credentials to my users that allow for limiting reading and writing to an Azure storage account?
It seems like I could setup an authentication server that acts as a proxy for every request to my Azure storage account using the signing mechanisms in Azure, but it feels like that's overcomplicating what seems to be a basic use case? If there is no neat solution, do other cloud providers offer something suitable?
The electron client takes a storage account name and access key. It has free reign over the storage account and can upload as much as it likes with no limit. That scares me as I don't want to get hit with a big Azure bill.
You are correct in your understanding. Not only account key gives complete control over a storage account it also creates a big challenge if you were to replace the account key for some reason (all of your users would need to download a new version of the application.
I assumed there would be controls in Azure to create less privileges storage accounts and/or containers with size limits imposed. However, none of that seems to exist.
That's correct. It is not possible to create less privileged accounts or impose size restrictions on containers out of the box. This is something you would need to handle on your own.
So my question; how can I safely distribute credentials to my users that allow for limiting reading and writing to an Azure storage account?
Please look into Shared Access Signature feature of Azure Storage. It allows you to create SAS URLs that give the users time-bound, permission-restricted access to your Storage Account.
You would still need to implement a proxy. The responsibility of this proxy would be to generate SAS tokens. Depending on the control and security you want, you can implement this proxy in two ways:
The downside of this approach is that everything gets routed through this proxy and you may need a much robust infrastructure to handle user's requests but it is much secure and gives you a lot of control.
However, please keep in mind that SAS URLs can be misused. For example, they can send you the information about a small sized file, get the SAS URL and somehow use that URL to upload some other file. You would need to protect your application against such use cases.
You may find this link helpful regarding best practices when using SAS: https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#best-practices-when-using-sas.