Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

URL to access private blob in Azure Storage

We're just getting started with Azure Storage. In our scenario we upload to private blobs that we later need to access directly from our client app, e.g. images.

Is there a way to address private blobs in Azure Storage with a URL containing the access key?

Sifting through the MS docs all I could find so far is simple URL access via the blob URI, e.g. as given by the URI property of the CloudBlockBlob instance when listing blobs via the .net API.

Naturally accessing this from a web browser fails due to the blob not being public.
However, can we qualify the URL to also include the access key in order to allow authorized clients to access the blob..?

like image 940
ATV Avatar asked Nov 03 '17 08:11

ATV


People also ask

Which Azure Blob Storage generate temporary public URL for private file?

Node js - Azure blob storage generate temporary public url for private file. - Arjunphp Node js – Azure blob storage generate temporary public url for private file.

How do I access Azure Blob data from the Azure portal?

To access blob data from the Azure portal using your Azure AD account, both of the following statements must be true for you: You have been assigned either a built-in or custom role that provides access to blob data. You have been assigned the Azure Resource Manager Reader role, at a minimum, scoped to the level of the storage account or higher.

How do I restrict access to my storage account in azure?

Storage account owners can manage consent requests and the private endpoints, through the ' Private endpoints ' tab for the storage account in the Azure portal. If you want to restrict access to your storage account through the private endpoint only, configure the storage firewall to deny or control access through the public endpoint.

Can I use a private link for only one Azure storage account?

So if you choose to use a private link for only one account (either the source or the destination), make sure that your client has network access to the other account. To learn about other ways to configure network access, see Configure Azure Storage firewalls and virtual networks.


Video Answer


2 Answers

You can generate an SAS URL and token for the private blob. Here's the process for generating this manually in the Azure portal, to test the concept. It will work even if your storage container is private, as it allows temporary, time limited access to the file using a URL that contains a token in it's query string.

Click on your file within the storage container, select the 'Generate SAS' tab, and in the right pane select enter image description here

This will generate a token, and a URL that includes the token, like below:

enter image description here

You can test downloading the URL as a file by using curl. Use the 2nd URL shown in the image above (the one that includes the full token and other parameters in the querystring), then do this (IMPORTANT - the URL must be in double quotes):

curl "<YOUR_URL>" --output myFileName.txt

Tip - this is also a good method for making files available to an Azure VM, if you need to install a file directly on the VM for any reason (I needed to do this to install an SSL certificate), you can generate the URL then curl to download the file, on the VM itself. E.g. connect to the VM first with Bastion or SSH, then use curl to download the file somewhere.

like image 85
Chris Halcrow Avatar answered Oct 11 '22 03:10

Chris Halcrow


This is the API for how you read blobs from storage:

https://learn.microsoft.com/en-us/rest/api/storageservices/get-blob

There is no URL-Parameter to pass the access key, only the header value Authorization. So you could do the request manually and e.g. add the resulting data as a base64 encoded image. I would advise against it if at all possible.

You must also be aware that by passing your access key to the client, you are effectively making your blob public anyways. You would be putting your data at more risk than anonymous access, since the access key allows more operations than anonymous access. This would also hold true for your objective-c app, even though its much more obfuscated there. SAS is the way to go there - create a backend service that creates a defined set of SAS tokens for given resources. It is however much more effort than simply obfuscating the full access key somewhere.

See "Features available to anonymous users":

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources

like image 25
Alex AIT Avatar answered Oct 11 '22 04:10

Alex AIT