Verify if logged user has access to accesed azure resource throw link ?

Daniel Avadanei 41 Reputation points
2022-03-31T10:44:16.827+00:00

I have a web platform that is sharing images and videos, stored on Azure blob. Users can access this resources through the SAS links that I provide to them. I want to be able once a user access a blob resource through a link in a browser to check on a database server if the accessed resource belongs to that user and only if it belongs to that user to deliver the blob. Currently the checking is beeing done using the information stored in the link, but the link can be copied and distributed, I would want to check if the current user that is logged in the application has access to the resource, this way if a user is not logged in the app or is logged but does not have access to the resource cannot access the blob even if it has the link. How can this be done in Azure ?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,860 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,381 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 46,286 Reputation points Microsoft Employee
    2022-04-11T05:55:47.873+00:00

    @Daniel Avadanei If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.

    It is not possible to get the list of SAS URLs because they are not stored anywhere in Azure Storage.

    Is there a way to pull what SAS keys are being used to access a Storage Account?

    You enabled Azure activity log which logs the management plane operations, for example, create a storage account, update property of a storage account. It doesn’t help you as you try to analyze the data requests to storage account. You should use Storage analytics logs: https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=/azure/storage/blobs/toc.json

    However, I don’t see the direct solution to figure out the actual SAS token and the mapping with SAS policy.

    There are two upcoming features that might address general concerns on SAS. One is that we are adding hash of SAS in the new logging integration with Azure Monitor. Another is that we are going to add SAS expiry policy to warn when long expiry is longer than the configured time.

    This SO thread gives information on which user has performed any action on your Azure storage account
    Monitoring Azure Blob storage

    Note: When creating a SAS, specify only those permissions that are required by the client to perform its function. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.
    If a SAS is compromised, you will want to revoke that SAS as soon as possible. To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past.

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 191713-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.