How to name Windows Azure SharedAccessBlobPolicy keys

Question

I'm trying to give some 3rd parties access to my azure Blob container. I want them to be able to read any files within the container.

I'm using the below code after following guidance from http://www.windowsazure.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-2/

However I want to create different keys for the different 3rd parties.

e.g. One Key which I will share with say companyA Another key which I will share with say companyB

Is there anyway I can name these keys e.g. keyCompanyA, keyCompanyB

The reason I want to give them sensible names is if our agreement with CompanyA expires I can just move in and delete that key.

public Void CreateAccessKeyBlob()
{

    const string accountName = "myAccountName";
    const string primaryAccessKey = "myAccessKey";

    var conn = string.Format("DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}", accountName, primaryAccessKey);

    var storageAccount = CloudStorageAccount.Parse(conn);

    //Create the blob client object.
    var blobClient = storageAccount.CreateCloudBlobClient();

    //Get a reference to a container to use for the sample code, and create it if it does not exist.
    var container = blobClient.GetContainerReference("myContainer");

    var sasConstraints = new SharedAccessBlobPolicy
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddYears(50),
        Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.List
    };

    //Generate the shared access signature on the container, setting the constraints directly on the signature.
    var sasContainerToken = container.GetSharedAccessSignature(sasConstraints);

    Console.ReadLine();
}

Answer 1

Unfortunately, I think you have a few misunderstandings about how Shared Access Signatures.

A shared access signature is (simply put) a digitally signed permissions slip to access a set of resources. The signature if based on the parameters (area, type of access, start/end time, etc...) that are included as query string parameters in the URL. We then generate and append a 'signature' which is a hash of these parameters and the "secret key" for the storage account.

As such, the only real differentiation between two signatures is the parameters used in its creation.

Once a signature it generated, it can't be revoked. However, if the signature was based on a storage account access policy (basically a short-cut for assigning share access signature parameters), the signature will be invalid if that policy is removed. This is because the policy was a parameter associated with the signature and once that policy has been removed, the signature of course can't be validated.

Now you might think you could then set up different policies for each customer. But... there's a limit on the number of policies that can be associated with a storage account (5 last I checked). So this really doesn't scale to support multi-tenant solutions.

Now another key point is that the "key" mentioned in the code you shared is the WA Storage Account key. There's only 2 of these and they're generated for you by the system. These should NEVER be shared with anyone that doesn't need full administrative rights to the entire storage account. What you're really sharing with your customers is the signature we discussed previously.

All this said, and without knowing more details about your scenario requirements, I'd recommend you explore using a façade or gatekeeper style pattern. With the façade, you stand up a service that authenticates/authorizing requests and then retrieves the requested content from storage. This approach allows you to introduce concepts like caching into the calls as well as the aggregation of results for more complex request types. A gatekeeper pattern in this case would also be fairly simple, generating shorter time shared access signatures (hours/days instead of weeks/months). The user would present some type of credential which you could then compare against your DB to determine if they get a shared access signature or not.

I hope this helps. :)