Does Azure support Aws STS kind of feature ?

Question

Hi,

I have a use case where i need to isolate user to access a specific storage blob in a single storage account.
Does Azure support STS kind of feature like AWS has to isolate user who are not has Azure account ?

Any leads would be appreciated.!!

Answer 1

@Akhilesh Verma As I understand: You need to restrict a user to access a specific container in an Azure Storage BLOB? If I am wrong please correct.

This option is not available yet! If you wish you may leave your feedback here All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

I would recommend, please refer to this link which provides you how RBAC and built-in roles works

However, If your customer doesn't have the azure account still he can view the document/File & more from the storage account by providing the roles and by adding their account

To allow blob public access on the storage account, you can see the guideline: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent

For other built-in Azure policies on storage including a private link, you can refer: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#storage

Additional information: Authorizing access to data in Azure Storage

However Shared access signatures for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account. Adding constraints on the time interval for which the signature is valid or on permissions it grants provides flexibility in managing access. For more information, see Using shared access signatures (SAS).

Generate and distribute SAS tokens with read/write privileges. This will give a Url which expires at a given point in time. You can do all this through the portal, through code, or by using context menus within Azure Storage Explorer. Here is a sample of how to do it with code.

Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to Blob with Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against Blob or Queue storage. Authorize access to blobs and queues using Azure Active Directory

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

------------------------------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Yes. You understand it right. I need to restrict user for specific container in same storage account.
I have alternate idea, not sure if this work:

I can register Azure AD app for each user, which will give me different client ID and Secret, then will create Service Account and assign "Storage Blob Data Contributor", which may restrict user to their specific container.

This is again just theory based on research i did, not sure if this work. I am thinking to do little POC for the same.

Please let me know if this idea looks good to you ?

Answer 3

@Akhilesh Verma If you provide "Storage Blob Data Contributor" still the customer will have access to the complete container, not to specify a folder.
Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more

As of today, No. As you mentioned, SAS token can be used to restrict access to either an entire blob container or an individual blob. This is because a folder in blob storage is virtual and not a real folder.

If you are looking for this specific feature I would recommend to post your feedback here All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.