node.jsazureazure-active-directoryazure-blob-storageazure-storage

Recommended access practice for blob storage


As we are building a Saas application and there is a requirement where we want to store some of the bills as azure blobs inside the container now for creating a blob inside the container via a REST API ( here we are using nodejs) , I found two options to complete the process

  1. Creating a Role assignment and assigning it as role permissions
  2. Through creating SAS tokens with some specifications like user delegation keys

I want to know which practice is recommended for this non human robot automation approach to create blobs inside a container

Is role assignments through service principle is vulnerable ? , if yes then what about SAS and its periodic request for token and validating it ? , any docs for reference will be helpful .


Solution

  • Is role assignments through service principle is vulnerable ? , if yes then what about SAS and its periodic request for token and validating it ? , any docs for reference will be helpful .

    For automation approach to create blobs inside a container, I would suggest you choose RBAC where continuous, long-term access is required, using a service principal with appropriate RBAC roles like Storage Blob Data Contributor you can be able to access it.

    Where SAS tokens are provide time-limited access to specific resources (like a container or a blob) and specific permissions (like write or list). So, SAS token will helpful scenarios like access needs are temporary or periodic.

    Is role assignments through service principle is vulnerable ? ,

    Here is the node.js code to authenticate using the service principal and create a blob in Azure Blob Storage.

    First create service principal and assign role Storage Blob Data contributor role using this MS-Document.

    Code:

    
    const { DefaultAzureCredential } = require('@azure/identity');
    const { BlobServiceClient } = require('@azure/storage-blob');
    
    // Replace with your values
    const accountName = "venkat32xxx3";
    const containerName = "sample";
    const blobName = "test.txt";
    const content = "Hello, World!";
    
    // Authenticate using DefaultAzureCredential
    const credential = new DefaultAzureCredential();
    const blobServiceClient = new BlobServiceClient(`https://${accountName}.blob.core.windows.net`, credential);
    
    async function createBlob() {
      try {
        const containerClient = blobServiceClient.getContainerClient(containerName);
        await containerClient.createIfNotExists();
        const blockBlobClient = containerClient.getBlockBlobClient(blobName);
        await blockBlobClient.upload(content, Buffer.byteLength(content));
        console.log(`Blob "${blobName}" is uploaded successfully.`);
      } catch (error) {
        console.error('Error uploading blob:', error);
      }
    }
    

    For configuration, store the service principal credentials as environment variables.

    AZURE_CLIENT_ID=<your-client-id>
    AZURE_CLIENT_SECRET=<your-client-secret>
    AZURE_TENANT_ID=<your-tenant-id>
    

    Output:

    Blob "test.txt" is uploaded successfully.
    

    enter image description here