Menu
I am trying to limit access to Azure blobs. I presently can provide a link that is time restricted to 5 minutes using Shared Access Signature. However just wondering if there is any mechanism to require more security such as an IP address?
If not I assume I just have to make the client go via a web role and then check there?
485
Update: This is supported now! Details above on Best Answer. The rest is still of interest so left it in.
N̶o̶ ̶I̶P̶ ̶f̶i̶l̶t̶e̶r̶s̶ ̶s̶u̶p̶p̶o̶r̶t̶e̶d̶ ̶d̶i̶r̶e̶c̶t̶l̶y̶ ̶-̶ ̶o̶f̶ ̶c̶o̶u̶r̶s̶e̶ ̶y̶o̶u̶ ̶c̶a̶n̶ ̶d̶o̶ ̶t̶h̶i̶s̶ ̶i̶n̶ ̶y̶o̶u̶r̶ ̶o̶w̶n̶ ̶W̶e̶b̶ ̶R̶o̶l̶e̶ ̶a̶s̶ ̶y̶o̶u̶ ̶s̶u̶g̶g̶e̶s̶t̶.̶ But this is why you should be confident with Shared Access Tokens*:
The only way that SAS blob URL could get mass published and attacked in 5 mins is if there was malicious intent from the recipient. So whatever the method of securing it (e.g. IP restriction) you would be vulnerable because you have given an attacker access. They could just download the data and publish that instead if it was IP restricted.
The shared access token combined with the timeout really prevents brute force attacks guessing the URL or any carelessness in leaving it lying about in an unsecured location over time.
So as long as you trust the person you are sharing with and you transport it to them in a secure manner you are fine.
*in most scenarios
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
