In the last post, we discussed the concepts behind the valet key pattern. In this post, I will walk through how to perform this operation on Azure.
In Azure, we can accomplish the creation of temporary access by use of shared access signature (SAS) tokens. You can read more about these tokens here (https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1)
Please NOTE: In a previous post, I mentioned that SAS tokens were container level elements. In fact, I was wrong about this. At time of writing, SAS Tokens can be implemented at the container level, the account level, or the blob level.
Therefore, if you grant read access to a token, that token allows for reading of all objects inside the target container. SAS tokens have the following useful parameters:
Start Time - The time at which the token will become effective
End Time - The time at which the token will expire
Permissions - The grants to be allocated with the token
IP - The IP (or range) from which the token will be accepted
Protocol - The types of protocols allowed for use by the token (in this case, HTTP or HTTPS)
SAS tokens are effectively a set of key-value pairs that are passed on the query string (general) and are accompanied by a signature. This means that SAS tokens can be guaranteed to provide integrity of the message (IE: properties cannot be changed by the users) but do not provide confidentiality (the user can read and interpret the access granted).
It is important to note that SAS tokens do not need to specify all the parameters above. In some cases, you can link a SAS Token with a SAS policy. The SAS policy is simply the representation of the parameters, and the SAS Token simply has a reference to the policy it was created with. In general, the recommendation is to use policies (which help to act as a revocation list in the case of long running SAS tokens).
So let’s generate a SAS token for access to a private blob. Here is my current storage account setup.
I want to access the blah blah.docx file in a private container. Here are the steps (using powershell):
Obtain the context for a storage account
$account = Get-AzStorageAccount -Name shamblah2 -ResourceGroupName shamblah2 $context = $account.Context
Obtain a SAS token for a given blob
$token = New-AzureStorageBlobSASToken -Container blah -Blob "blah blah.docx" -StartTime (Get-Date).AddHours(-1) -ExpiryTime (Get-Date).AddHours(4) -Permission r -Protocol HttpsOnly -context $context
Provide token to downstream user/process
The token that was provided looks like this:
You can then just add it to your url that you would like to access. Like so:
Hitting that will allow you to access the file for 4 hours after the token was created.
If you try and access the blob afterwards, or use the key for some other blob/account, you get the following:
In the next post, we will cover how to do this with AWS.
Shamir is a Microsoft Most Valuable Professional (MVP – Azure) and has extensive experience building solutions in the cloud, from strategy to deployment to automation