As we are building a Saas application and there is a requirement where we want to store some of the bills as azure blobs inside the container now for creating a blob inside the container via a REST API ( here we are using nodejs) , I found two options to complete the process
I want to know which practice is recommended for this non human robot automation approach to create blobs inside a container
Is role assignments through service principle is vulnerable ? , if yes then what about SAS and its periodic request for token and validating it ? , any docs for reference will be helpful .
Is role assignments through service principle is vulnerable ? , if yes then what about SAS and its periodic request for token and validating it ? , any docs for reference will be helpful .
For automation approach to create blobs inside a container, I would suggest you choose RBAC
where continuous, long-term access is required, using a service principal with appropriate RBAC roles like Storage Blob Data Contributor
you can be able to access it.
Where SAS tokens
are provide time-limited access to specific resources (like a container or a blob) and specific permissions (like write or list). So, SAS token will helpful scenarios like access needs are temporary or periodic.
Is role assignments through service principle is vulnerable ? ,
Here is the node.js
code to authenticate using the service principal and create a blob in Azure Blob Storage.
First create service principal and assign role Storage Blob Data contributor
role using this MS-Document.
Code:
const { DefaultAzureCredential } = require('@azure/identity');
const { BlobServiceClient } = require('@azure/storage-blob');
// Replace with your values
const accountName = "venkat32xxx3";
const containerName = "sample";
const blobName = "test.txt";
const content = "Hello, World!";
// Authenticate using DefaultAzureCredential
const credential = new DefaultAzureCredential();
const blobServiceClient = new BlobServiceClient(`https://${accountName}.blob.core.windows.net`, credential);
async function createBlob() {
try {
const containerClient = blobServiceClient.getContainerClient(containerName);
await containerClient.createIfNotExists();
const blockBlobClient = containerClient.getBlockBlobClient(blobName);
await blockBlobClient.upload(content, Buffer.byteLength(content));
console.log(`Blob "${blobName}" is uploaded successfully.`);
} catch (error) {
console.error('Error uploading blob:', error);
}
}
For configuration, store the service principal credentials as environment variables.
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>
AZURE_TENANT_ID=<your-tenant-id>
Output:
Blob "test.txt" is uploaded successfully.