Recommended access practice for blob storage

As we are building a Saas application and there is a requirement where we want to store some of the bills as azure blobs inside the container now for creating a blob inside the container via a REST API ( here we are using nodejs) , I found two options to complete the process

1. Creating a Role assignment and assigning it as role permissions
2. Through creating SAS tokens with some specifications like user delegation keys

I want to know which practice is recommended for this non human robot automation approach to create blobs inside a container

Is role assignments through service principle is vulnerable ? , if yes then what about SAS and its periodic request for token and validating it ? , any docs for reference will be helpful .

Is role assignments through service principle is vulnerable ? , if yes then what about SAS and its periodic request for token and validating it ? , any docs for reference will be helpful .

For automation approach to create blobs inside a container, I would suggest you choose RBAC where continuous, long-term access is required, using a service principal with appropriate RBAC roles like Storage Blob Data Contributor you can be able to access it.

Where SAS tokens are provide time-limited access to specific resources (like a container or a blob) and specific permissions (like write or list). So, SAS token will helpful scenarios like access needs are temporary or periodic.

Is role assignments through service principle is vulnerable ? ,

• If their credentials are exposed or not well-managed the Service principals can be risky.
• To resolve this, it's important to regularly change the credentials and enforce strict access controls.

Here is the node.js code to authenticate using the service principal and create a blob in Azure Blob Storage.

First create service principal and assign role Storage Blob Data contributor role using this MS-Document.

Code:

const { DefaultAzureCredential } = require('@azure/identity');
const { BlobServiceClient } = require('@azure/storage-blob');

// Replace with your values
const accountName = "venkat32xxx3";
const containerName = "sample";
const blobName = "test.txt";
const content = "Hello, World!";

// Authenticate using DefaultAzureCredential
const credential = new DefaultAzureCredential();
const blobServiceClient = new BlobServiceClient(`https://${accountName}.blob.core.windows.net`, credential);

async function createBlob() {
  try {
    const containerClient = blobServiceClient.getContainerClient(containerName);
    await containerClient.createIfNotExists();
    const blockBlobClient = containerClient.getBlockBlobClient(blobName);
    await blockBlobClient.upload(content, Buffer.byteLength(content));
    console.log(`Blob "${blobName}" is uploaded successfully.`);
  } catch (error) {
    console.error('Error uploading blob:', error);
  }
}

For configuration, store the service principal credentials as environment variables.

AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>
AZURE_TENANT_ID=<your-tenant-id>

Output:

Blob "test.txt" is uploaded successfully.