Azure Blob Storage Access
Azure Blob Storage is one of the most common services used in the Azure Storage account. As you might already know, Blob Storage is mainly used to store object type data such as images, videos, spreadsheet etc. Please find additional details in one of my previous articles here.
When working with Blob, we should first create a container that is like a high-level folder and each container can have its own access level. There are three possible access levels.
- Private (no anonymous access)
- Blob (anonymous read access for blobs only): it means the single blob has got a URL publicly accessible.
- Container (anonymous read access for container and blobs): it means the single blob has got a URL publicly accessible and an anonymous user can also list the container content.
Generally speaking, it is always a good practice to create your container with a private access level and have your trusted application access the blob via the “Access Keys”.
We have two access keys for security purposes and Microsoft recommends regenerating the access keys regularly. We have two access keys so that we can maintain connections using one key while regenerating the other.
Access keys are just one level of security that gives access to the entire storage account. There is also SAS (Shared Access Signatures) which is a more secure way to provide access to our storage account.
We can set two types of SAS:
- Account-level — it sets the access to all service types in an account
- Service level — Blob, queue, table, file.
As you can notice from the above pictures, we can set start/end time and IP addresses to add additional restrictions for the access.
As a bit of general advice, whenever an application needs to access your storage account, unless it’s your trusted internal application, please avoid using the “Access Keys”.
