Menu
ASP.NET | Web App Developer Blog | INOASPECT

Securing the Windows Azure Storage Blob files with Shared Access Signature

In a previous blog post, I demonstrated how easy to save and delete the file to Azure Blob Storage. If they are just public images its alright to leave them as public, but if they are private images and documents we need to secure them.

For example, the user will download the document from the corporate portal and have the link bookmarked, and he leaves the organisation and if he still is able to download the document or document get visible to a search engine and gets indexed. this will be a security hole. The approach would be to issue a temporary token to download the file, even if he bookmark the link it will not work the next time as the token is expired. If he is a genuine user he should be able to log back into the portal and redownload. I prefer inconvenience over the exposing information. But do let me know if there is a better approach out there for Azure Blob Storage.

You first need to make the container private, then enable the SAS for that blob storage and only allowed to access the file with a SAS.

when user login to your app or app refresh token in the background, sends the new SAS back to the client. I use the login token’s claims to include this. but you can do this whenever a user requests a file, create a SAS token and amend the blob storage url and send it down. I will leave it up to you how you want to do it

Below is how you acquire the token

public string CreateSharedAccessSignatureToken(string accountName, string accountKey, string containerName, int validHours)
{
   var storageAccount = CloudStorageAccount.Parse($"DefaultEndpointsProtocol=https;AccountName={accountName};AccountKey={accountKey}");
   var cloudBlobClient = storageAccount.CreateCloudBlobClient();
   var container = cloudBlobClient.GetContainerReference(containerName);

   var sasConstraints = new SharedAccessBlobPolicy
   {
      SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddHours(validHours),
      Permissions = SharedAccessBlobPermissions.Read
   };

   return container.GetSharedAccessSignature(sasConstraints);
}

Once you have the SAS, you can access it like below

https://[Your storage name].blob.core.windows.net/[your container name]/[file name]?[your SAS]

Which builds a URL like below

https://XXXXXX.blob.core.windows.net/XXXXX/71446024-9dc7-43fc-aa07-5a989dbc981e.jpg?sv=2018-03-28&sr=c&sig=gcWFJqhNLg2qW7%2FN%2BsdR0eq6EhdpwjOS70rP8814UR8%3D&se=2019-01-16T01%3A51%3A29Z&sp=r

Azure Blob Strage will handle the expirey and everything else

Leave a comment

Post Info

Tags

Archives