How to securely use Azure services from an untrusted client?

Paul Marsh 1 Reputation point
2020-08-23T11:02:31.973+00:00

Let's say I have a simple client Console App that I want to sell to the public. It's going to access an Azure service, let's say Table Storage. How do I secure the keys to Table Storage? It seems like it's impossible to do with just the client app? I hoping there would be a login service that would provide a rolling tamper/anti-forgery key or something like that? Seems like we have a secure Azure service a missing middle part and a client SDKs. Have I missed something?
NB - No I don't want to use Azure AD, at least not for the users, for the App maybe. No I don't want to just use a Shared Key, that really isn't secure.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,310 questions
Azure Table Storage
Azure Table Storage
An Azure service that stores structured NoSQL data in the cloud.
170 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,919 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Showndarya Madhavan 346 Reputation points
    2020-08-23T12:30:55.533+00:00

    Hi @Paul Marsh ,

    One option to secure the keys and connection strings to your azure services would be to use Azure Key Vault to store it as secrets. You can also store it as keys in the Key Vault if you want encryption.

    Then you can maintain the mappings between the service key names and the Key Vault secrets/keys names in Table Storage. You can then have a service in your application that will access the table to get the Key Vault secret names and access the Key Vault to get the secrets during runtime if you have set the required access policies.

    Link: https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates.

    Hope this helps!

    1 person found this answer helpful.

  2. sadomovalex 3,631 Reputation points
    2020-08-28T15:53:54.077+00:00

    hello,
    as an alternative approach you may develop own middleware using Azure functions which will communicate with storage - in this case you won't need to secure connection string. Instead you may configure authentication for Azure functions which support many authentication providers except Azure AD which you don't want to use (MS ID, Facebook, Google, Twitter).
    21291-2020-08-28-18-53-20.png

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.