Azure Storage Authorization

Each time a HTTP/HTTPs request is made to Azure Storage, access must be authorized to ensure that the client has the right permission required to access that data. Azure Storage offers these options for authorizing access to secure resources:

  • Azure Active Directory (Azure AD) integration for blobs and queues.
  • Shared Key authorization for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key.
  • Shared access signatures for blobs, files, queues, and tables. Shared access signatures (SAS) provide time limited access to resources in a storage account.
  • Anonymous public read access for containers and blobs. Authorization is not required.

Although you can use any of the authorization strategies outlined above to grant clients access to resources in your storage account, Microsoft recommends using Azure AD when possible for maximum security and ease of use.

 

Azure Active Directory (Azure AD) integration

Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC) on the IAM blade of the Storage account. Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob and queue data. You can also define custom roles for access to blob and queue data.

Shared Key authorization

When a storage account is created, two 512bit storage account access keys are also generated by Azure. These keys can be used to authorize access to your storage account via Shared Key.

To view these keys as well as rotate them in the portal, within the storage account select Access Keys under Settings. Rotating the keys can be done by clicking the rotate button

Use Get-AzStorageAccountKey view the keys in PowerShell

Shared access signatures

A shared access signature (SAS) provides you with a way to grant time limited access to objects in your storage account to other clients, without sharing the account key.

To create a Shared access signature in the portal, within the storage account click on the Shared access signature. Select the required options, permissions and time limit and click on Generate SAS and connection string. This then outputs a SAS token and different connection strings for blobs, files, queues, and tables.

Leave a Reply