none
Is there some means for not allowing public (anonymous read) on blob containers? RRS feed

  • Question

  • Hi everyone,

    I doing some research on Azure Policy, but as far as I'm concerned policy can be applied at the Storage Account level, for instance enforcing the use of https for Storage Account resources (files, blobs, queues).

    I am interested in disallowing the use of public blob containers. Would that be possible through Azure Policy or by some other means?

    Thanks!

    Tuesday, August 14, 2018 12:50 PM

Answers

  • Just checking in if you have had a chance to see the previous response. 

    • Marked as answer by retux Sunday, August 19, 2018 10:26 PM
    Friday, August 17, 2018 9:46 PM

All replies

  • You can give anonymous read access at a container level, but you can’t access an entire container through a web browser. Refer the below article for more information and let us know if you need any further clarification

    Manage anonymous read access to containers and blobs

    Tuesday, August 14, 2018 2:06 PM
  • Thanks a lot for your response Vikranth.

    I read that article. What I was wondering is if there would be some way of restricting the ability to give anonymous read access for blobs, probably within certain scope (resource group, subscription).

    I believe (if i'm not mistaken) that is not possible through Azure Policy, if that is correct, there would probably be some tool to audit, for instance if you have container or blob objects exposed to the internet.

    Tuesday, August 14, 2018 5:45 PM
  • Currently there are four ways (using SAS or RBAC or anonymous access or shared key) to authenticate the blob storage. Every request made against a secured resource in the Blob, File, Queue, or Table service must be authorized. Authorization ensures that resources in your storage account are accessible only when you want them to be, and only to those users or applications to whom you grant access.

    Options for authorizing requests to Azure Storage include:

    • Azure Active Directory (Azure AD)(Preview): Azure AD is Microsoft's cloud-based identity and access management service. Azure AD integration is currently available in preview for the Blob and Queue services. With Azure AD, you can assign fine-grained access to users, groups, or applications via role-based access control (RBAC). For information about Azure AD integration with Azure Storage, see Authenticate with Azure Active Directory.
    • Shared Key: Shared Key authorization relies on your account access keys and other parameters to produce an encrypted signature string that is passed on the request in the Authorization header. For more information about Shared Key authentication, see Authorize with Shared Key.
    • Shared access signatures: Shared access signatures (SAS) delegate access to a particular resource in your account with specified permissions and over a specified time interval. For more information about SAS, see Delegating Access with a Shared Access Signature.
    • Anonymous access to containers and blobs: You can optionally make blob resources public at the container or blob level. A public container or blob is accessible to any user for anonymous read access. Read requests to public containers and blobs do not require authorization. For more information, see Enable public read access for containers and blobs in Azure Blob storage.
    Wednesday, August 15, 2018 6:44 PM
  • Just checking in if you have had a chance to see the previous response. 

    • Marked as answer by retux Sunday, August 19, 2018 10:26 PM
    Friday, August 17, 2018 9:46 PM
  • Thanks for the response!
    Sunday, August 19, 2018 10:27 PM

  • I have created an AAD app as per https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app.
    The access is given to the azure storage account for the AAD app created.
    Got the client id and client secret.
    To create a user delegation key and user delegation sas, I am using the approach and code as defined in
    https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet.
    (set environment variables as mentioned in article).

    I am able to generate the user delegation key using method GetUserDelegationSasBlob.
    The container and blob file is existing one.

    Now I am using the method ReadBlobWithSasAsync to read the contents of the blob using the SAS uri as generated above.
    But, I get error as below.

    >>>>>
    This request is not authorized to perform this operation using this permission.
    RequestId:5d127eaf-101e-00be-6666-6a3875000000
    Time:2019-09-13T19:04:15.4109144Z
    Status: 403 (This request is not authorized to perform this operation using this permission.)

    ErrorCode: AuthorizationPermissionMismatch
    <<<<<

    In another approach, I am generating the user delegation key using rest api.
    https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key

    I am able to get user delegation key in xml format.
    I am creating SAS from it as per steps in 
    https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas

    For signature, I am using this code, using StringToSign and secret value as received from delegation key.

                    var encoding = new System.Text.ASCIIEncoding();
                    byte[] keyByte = encoding.GetBytes(secret);
                    byte[] messageBytes = encoding.GetBytes(ToSign);
                    using (var hmacsha256 = new HMACSHA256(keyByte))
                    {
                        byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
                        String sig= Convert.ToBase64String(hashmessage);
                    }

    I am doing the GET request.
    I have tried various set of parameter values, like,

    sr: b and c
    sks: b and c
    sp: racwd and r and rw and few more

    skv and sv is 2018-11-09 because this version is required for creating user delegation key.

    But the GET api returns the error.

    <?xml version="1.0" encoding="utf-8"?>
    <Error>
        <Code>AuthenticationFailed</Code>
        <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
    RequestId:e4bc8f0f-d01e-0046-7367-6af368000000
    Time:2019-09-13T19:12:27.7780695Z</Message>
        <AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail>
    </Error>
    Friday, September 13, 2019 7:29 PM
  • Try to assign the Storage Blob Data Contributor role to the storage account. Refer to this article
    Wednesday, September 18, 2019 6:47 AM
    Moderator