Does Azure support Aws STS kind of feature ?

Akhilesh Verma 1 Reputation point
2020-12-10T07:32:13.127+00:00

Hi,

I have a use case where i need to isolate user to access a specific storage blob in a single storage account.
Does Azure support STS kind of feature like AWS has to isolate user who are not has Azure account ?

Any leads would be appreciated.!!

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,470 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 43,911 Reputation points Microsoft Employee
    2020-12-11T06:57:05.033+00:00

    @Akhilesh Verma As I understand: You need to restrict a user to access a specific container in an Azure Storage BLOB? If I am wrong please correct.

    This option is not available yet! If you wish you may leave your feedback here All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    I would recommend, please refer to this link which provides you how RBAC and built-in roles works

    However, If your customer doesn't have the azure account still he can view the document/File & more from the storage account by providing the roles and by adding their account

    47324-storage.gif

    To allow blob public access on the storage account, you can see the guideline: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent

    For other built-in Azure policies on storage including a private link, you can refer: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#storage

    Additional information: Authorizing access to data in Azure Storage

    However Shared access signatures for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account. Adding constraints on the time interval for which the signature is valid or on permissions it grants provides flexibility in managing access. For more information, see Using shared access signatures (SAS).

    Generate and distribute SAS tokens with read/write privileges. This will give a Url which expires at a given point in time. You can do all this through the portal, through code, or by using context menus within Azure Storage Explorer. Here is a sample of how to do it with code.

    Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to Blob with Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against Blob or Queue storage. Authorize access to blobs and queues using Azure Active Directory

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. Akhilesh Verma 1 Reputation point
    2020-12-11T07:21:08.837+00:00

    Yes. You understand it right. I need to restrict user for specific container in same storage account.
    I have alternate idea, not sure if this work:

    I can register Azure AD app for each user, which will give me different client ID and Secret, then will create Service Account and assign "Storage Blob Data Contributor", which may restrict user to their specific container.

    This is again just theory based on research i did, not sure if this work. I am thinking to do little POC for the same.

    Please let me know if this idea looks good to you ?


  3. Sumarigo-MSFT 43,911 Reputation points Microsoft Employee
    2020-12-11T08:24:41.163+00:00

    @Akhilesh Verma If you provide "Storage Blob Data Contributor" still the customer will have access to the complete container, not to specify a folder.
    Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more

    As of today, No. As you mentioned, SAS token can be used to restrict access to either an entire blob container or an individual blob. This is because a folder in blob storage is virtual and not a real folder.

    If you are looking for this specific feature I would recommend to post your feedback here All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    0 comments No comments