3

I am developing an application that must have write-only access to an Azure Storage Blob container. If I just go with key-based access, the application will be capable of interacting way more than it is supposed to. All I need is Write-Only access permission to the container. In other words, the account used by the application must not expose the ability to read, list, or delete blobs; only write is allowed.

Is there any way to facilitate fine-tuned access using Role Based Access Control using either built in roles or Azure AD?

Web User
  • 7,438
  • 14
  • 64
  • 92

1 Answers1

2

How about using SAS with w permission only (sp=w). enter image description here

https://learn.microsoft.com/en-us/rest/api/storageservices/Constructing-an-Account-SAS?redirectedfrom=MSDN

  • Read (r): Valid for all signed resources types (Service, Container, and Object). Permits read permissions to the specified resource type.
  • Write (w): Valid for all signed resources types (Service, Container, and Object). Permits write permissions to the specified resource type.
  • Delete (d): Valid for Container and Object resource types, except for queue messages.
  • List (l): Valid for Service and Container resource types only.
  • Add (a): Valid for the following Object resource types only: queue messages, table entities, and append blobs.
  • Create (c): Valid for the following Object resource types only: blobs and files. Users can create new blobs or files, but may not overwrite existing blobs or files.
  • Update (u): Valid for the following Object resource types only: queue messages and table entities.
  • Process (p): Valid for the following Object resource type only: queue messages.
Kamran
  • 1,258
  • 1
  • 16
  • 28