Azure Shared Access Signatures To Restrict Access

StackOverflow https://stackoverflow.com/questions/16902618

Question

We are just starting to use Azure and I'm trying to get a handle on some security issues.

We are developing a web app that is mostly javascript. We want to store the javascript in in blob storage / CDN. But until we release it we only want our office to have access. I understand that I can't create a firewall rule for Azure blob, so restricting access to our office IP is out.

From what I have read Shared Access Signatures might be the way to go. Can someone confirm that this is a valid direction to go? Also, can someone point out what mechanism I should be looking at to restrict access to these containers. i.e. a way to restrict the tokens to only our devs.

I know this may come across as weak, but I really have no clue how MS does things coming from a purely *nix world. All the tutorials have are a few lines of code saying how to access stuff using SAS but not much on setting up the policies in the first place. Also, will this approach work with CDN?

Was it helpful?

Solution

Shared Access Signatures are implemented as querystrings containing valid from/to times on the link, along with a hash.

You can create a SAS on any blob via any language. Here's a Java tutorial, for example. At this point, you can embed the resultant link into your web page. Should work just like a regular url.

SAS isn't going to work against CDN, as CDN is only for public blobs.

OTHER TIPS

My understanding from the “Overview of the Windows CDN” page on MSDN is that only blobs that are publically available can be cached with the Windows Azure CDN. To make a blob publically available for anonymous access, you must denote its container as public. Once you do so, all blobs within that container will be available for anonymous read access.

If the public access to the container is set to enable read access then any anonymous using having the url to the blob container can read all blobs in that container. READ access does not automatically give WRITE, DELETE, or LIST access to the container.

If the blob container is public, then also creating a shared access signature or stored access policy won’t prevent that public access. If you want to control access to the container using shared access signature or stored access policy then you must set public access to OFF. This is discussed in “Controlling Access to Windows Azure Blob Containers with Java” and elsewhere on MSDN.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top