0

I'm storing blobs in a private container which will generate a new shared access signature each time an authorized users request to view. If a shared access signature is generated by authorized user, a valid link with token is appended to blob's tail, then everyone can view it with no trouble (including un-authorized users). This is unexpected. I just want that valid link can be viewed by user who generated that token only

How can I secure my blobs without unauthorized access for generated token?

P/s: My requests come from other domain, different from azure storage domain

Ming Hieu
  • 149
  • 3
  • 13

1 Answers1

1

If a shared access signature is generated by an authorized user, a valid link with the token is appended to the blob's tail, then everyone can view it with no trouble (including unauthorized users). This is unexpected.

You can restrict the blob container by generating an SAS token with IP address.

To ensure that only the authorized user can access the blob with the generated SAS token, you need to set the appropriate permissions on the SAS token. Specifically, you should set the Read permission on the token and also set the IPRange property to the IP address of the authorized user.

Initially, I set up an IP address for the storage account. enter image description here

You can use the below code to generate a SAS token with Authorized IP address.

Code:

using Azure.Storage.Blobs;
using Azure.Storage.Sas;
using System;
using System.Net;

namespace BlobSasDemo
{
    class Program
    {
        static void Main(string[] args)
        {
            // Replace these values with your own connection string, container name, blob name, and authorized user's IP address
            string connectionString = "Your connection string";
            string containerName = "test2";
            string blobName = "test.png";
            string authorizedIpAddress = "103.xx.xxx.xx";

            // Create a BlobClient instance
            BlobClient blobClient = new BlobClient(connectionString, containerName, blobName);

            // Create a BlobSasBuilder instance
            BlobSasBuilder sasBuilder = new BlobSasBuilder()
            {
                BlobContainerName = containerName,
                BlobName = blobName,
                Resource = "b",
                StartsOn = DateTime.UtcNow.AddMinutes(-5),
                ExpiresOn = DateTime.UtcNow.AddMinutes(10),
                IPRange = new SasIPRange(IPAddress.Parse(authorizedIpAddress)),
            };

            // Set the permissions to only allow read access
            sasBuilder.SetPermissions(BlobSasPermissions.Read);

            // Generate the SAS token
            Uri sasTokenUri = blobClient.GenerateSasUri(sasBuilder);

            // Print the SAS token URI
            Console.WriteLine("SAS token URI: {0}", sasTokenUri);
            Console.ReadLine();
        }
    }
}

Output:

enter image description here

If we try with a different Ip address you will get an error like below:

enter image description here

Reference:

AccountSasBuilder Class (Azure.Storage.Sas) - Azure for .NET Developers | Microsoft Learn

Sourav
  • 814
  • 1
  • 9
  • I don't think using IP filter is a good solution. Authorized users can use a dynamic IP from multi devices to access the resources (blob). We can't determinate user's ip addresses because they come from all arround the world. Additional, authorized users are user who login successfully to the application, so if they (authorized users) logged out to the system, then they can't view the resources which they have generated before – Ming Hieu Apr 18 '23 at 03:45
  • Thanks for pointing it out. However, what you are trying to implement will need AAD authentication and also we need to involve Azure Key Vault secrets/keys as well. – Sourav Apr 19 '23 at 14:32
  • are you clear about my requirement? all I need to do are AAD authentication and Azure Key Vault secrets/keys, is that right? @Sourav – Ming Hieu Apr 20 '23 at 14:19
  • Yes, I think so. try once and let me know in the comment. – Sourav Apr 20 '23 at 20:24