0

My API allows users to upload and download files to my Azure Storage account. To do this, they need a SAS token with permissions based on if they want to download or upload a file. I was wondering if there was a secure method to provide users with these tokens, other than sending it through more unsecure methods such as email.

Edit for Clarification:

I plan on having hundreds of users accessing my Azure Storage account. I was planning on generating my token through Azure itself but I have been considering generating the SAS token inside of the API or in a separate Azure Function. My API uses an Azure Function with NodeJS.

bowlingh23
  • 49
  • 7
  • Please provide more information. How many users? How do you generate your token? What type of application uses your token? – Florian Vuillemot Jun 01 '23 at 21:02
  • I'm sorry, I added more clarification to my original post. Hopefully this provides useful context to the question. – bowlingh23 Jun 01 '23 at 21:11
  • Correct me if I'm wrong, you have Azure functions that can access your Azure storage. Functions can have read or write access to the storage depending on their business purpose. Is your question about securing access to the SAS token from Azure Functions? – Florian Vuillemot Jun 02 '23 at 09:39
  • Although my Azure Functions can access my Azure Storage, users in my API still needs an SAS token to be able to upload and download files. My question is asking how I should provide these tokens to users. For example, should I generate the token for them through a separate Azure Function? Should I just send the user a generated token over email? – bowlingh23 Jun 02 '23 at 13:02
  • 1
    I have proposed two solutions. I'm not talking about sending the token by e-mail, as this will be a manual process (at least for the end user) which will encourage the use of a long-lived SAS token, which is not good for security. – Florian Vuillemot Jun 02 '23 at 16:14

1 Answers1

1

Proposal 1: You can create a new Azure function as a proxy on your storage account for uploading/downloading. Thanks to managed identity, you won't have to provide a SAS token. User authorization on the Azure Function will ensure that the permission is removed when the user is no longer authorized.

Proposal 2: You can create a SAS token with an Azure Function and send it to the user inside your application (can be transparent to the user). This will enable you to create a SAS token with a short lifetime. If communication between clients and server uses TLS, it will guarantee secure transmission of your token.

Florian Vuillemot
  • 500
  • 1
  • 4
  • 10