What is best practice when sharing a storage account container with a third party?

Steven Catlett 0 Reputation points
2024-08-08T04:25:24.5533333+00:00

We have a requirement to exchange files, securely, with a third-party.

One way to achieve this is to create a storage account with a container and generate a SAS token with permissions to read and write, providing this token to the third party. The downside is we would need to regenerate tokens when the existing token expires.

Is there a best practice for achieving this? Perhaps with a managed identity?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,090 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Deepanshukatara-6769 8,715 Reputation points
    2024-08-08T05:36:11+00:00

    Hi Steven , Welcome to MS Q&A

    To securely exchange files with a third-party using Azure Storage Account, you can follow these best practices:

    1. Shared Access Signatures (SAS): Generate SAS tokens with specific permissions (read, write) and provide them to the third party. However, you will need to regenerate tokens when they expire.
    2. Azure Role-Based Access Control (RBAC): Use Azure RBAC to grant the third party access to the storage account. This method provides more control and can be managed through Azure Active Directory (AAD).
    3. Managed Identities: Use managed identities for Azure resources to securely access Azure Storage without needing to manage credentials. This can be combined with Azure RBAC to provide secure access to the storage account.

    For more detailed information, you can refer to the following resources:

    By following these best practices, you can securely exchange files with a third-party while minimizing the need to regenerate tokens frequently.

    Please let me know if you have further questions

    Kindly accept answer if it helps

    Thanks

    Deepanshu

    1 person found this answer helpful.

  2. Sumarigo-MSFT 45,776 Reputation points Microsoft Employee
    2024-08-08T09:17:11.15+00:00

    @Steven Catlett Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    You can use Azure Key Vault to securely store the storage account key and generate SAS tokens programmatically using a managed identity.

    Here are the high-level steps to achieve this:

    1. Create an Azure Key Vault instance and store the storage account key as a secret in the Key Vault.
    2. Create an Azure Function with a managed identity and grant the identity access to the Key Vault secret.
    3. In the Azure Function, use the Key Vault SDK to retrieve the storage account key from the Key Vault secret.
    4. Generate a SAS token programmatically using the storage account key and the desired permissions.
    5. Return the SAS token to the third party.

    Other way to achieve this is to use Azure Active Directory (Azure AD) to authenticate the third party and grant them access to the container.

    Here are the high-level steps to achieve this:

    1. Create an Azure AD tenant and register your application.
    2. Grant your application permissions to access the Azure Storage API.
    3. Create a security group in Azure AD and add the third party to the group.
    4. Grant the security group access to the container in the storage account.
    5. Configure your application to authenticate the third party using Azure AD.
    6. Generate a SAS token programmatically using the storage account key and the desired permissions.
    7. Return the SAS token to the third party.

    By using this approach, you can avoid the need to regenerate tokens manually when they expire. The SAS token can be generated programmatically using the storage account key and the desired permissions.

    By using this approach, you can avoid the need to regenerate tokens manually when they expire. The Azure Function can be scheduled to run periodically to generate new tokens before the existing ones expire.

    This approach also provides an additional layer of security by keeping the storage account key in a secure location (Azure Key Vault) and using a managed identity to access it.Please let us know if you have any further queries. I’m happy to assist you further.    


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.