Securely uploading blob files to Azure Storage from API Management
Agenda
This article will provide a demonstration on how to utilize either SAS token authentication or managed identity from API Management to make requests to Azure Storage. Furthermore, it will explore and compare the differences between these two options.
Comparision
The choice between Managed Identity and SAS Token depends on factors such as the level of control required, the duration of access, and the specific security requirements of your application. Both options offer different levels of access control and security features for accessing Azure Storage.
Azure Managed Identity vs. SAS (Shared Access Signature) Token
Authentication | Advantage | Disadvantage |
Azure Managed Identity |
|
|
SAS Token |
|
|
It is crucial to select the appropriate authentication method for accessing Azure Storage based on your specific use cases. For instance, if the permission for your client applications is permanent and long-term, it may be preferable to leverage Azure Managed Identity, as the assigned permission remains in place indefinitely. On the other hand, if you only need to grant temporary access to your client applications, it is more suitable to use SAS Token. SAS tokens can be created with an expiration date, and the permission will automatically expire once the token becomes invalid. This grants more control over the duration of access for temporary scenarios.
Below are the instructions to implement both Azure Managed Identity and SAS Token authentication options.
OPTION 1: Authentication via managed identity
This shows you how to create a managed identity for an Azure API Management instance and how to use it to access Azure Storage. A managed identity generated by Microsoft Entra ID allows your API Management instance to easily and securely access Azure Storage which is protected by Microsoft Entra ID. Azure manages this identity, so you don't have to provision or rotate any secrets.
Configuration
The initial step involves enabling the managed identity for your APIM service, followed by assigning the appropriate permissions for blob uploading. You must go to the "Managed identities" blade to enable the system assigned identity firstly.
To add the storage permission, you can navigate to the same blade and click on the "Azure role assignments" button. It is important to carefully consider the role assignment based on your specific use cases, as there are multiple built-in roles available for authorizing access to blob data using Microsoft Azure Active Directory. For testing purposes, you can grant the "Storage Blob Data Contributor" permission to the managed identity.
For more detailed information regarding the built-in roles for blobs, please refer to the documentation provided below.
Assign an Azure role for access to blob data - Azure Storage | Microsoft Learn
Authorize access to blobs using Microsoft Entra ID - Azure Storage | Microsoft Learn
Policy
In the <inbound>
section, I included a policy for authentication with managed identity and also for rewriting the blob path. This example utilizes the name of the storage account that is set within the named values.
Within the <outbound>
section, to make the error response from Storage side easier to troubleshoot, I use the policy<xml-to-json>
to convert the response format, because it is generated in XML format.
Error example:
Test
Simply using the test panel to do a test and check if everything works fine. The response will come back with 201-Created when the file has been uploaded successfully.
The file upload to the storage container was successful.
OPTION 2: Access Storage through SAS token
This is a method to access Storage Account from APIM service using SAS token. By setting the SAS token as named values, it can help reuse the SAS token.
One thing you might need to be careful about is that the SAS token should be handled and maintained manually because there is no integration between Storage Account and Key Vault for key re-creation.
Prerequisite
A SAS token is required before implementation. There are some ways to create a SAS token. You can generate the token from the Azure portal by selecting "Shared Access Signature" from the menu and providing the necessary information.
Additionally, both Azure PowerShell and Azure CLI can be utilized to generate the token.
- By using the Azure PowerShell, the examples within the below documentation can help you to create the SAS token.
New-AzStorageAccountSASToken (Az.Storage) | Microsoft Learn
- By using Azure CLI
az storage account | Microsoft Learn
Example:
Configuration
After generating the SAS token, let’s move forward to API management service to set up the required configurations to restore the SAS token in the Named values on for API reference.
Policy
In the <inbound>
section, I added the policy for rewriting the blob path as well as assigning the SAS token. This example uses the name of Storage Account that is set in the named values.
Within the <outbound>
section, to make the error response from Storage side easier to troubleshoot, I use the policy<xml-to-json>
to convert the response format, because it is generated in XML format.
Error example:
Test
Simply using the test panel to do a test and check if everything works fine. The response will come back with 201-Created when the file has been uploaded successfully.
The file upload to the storage container was successful.
Conclusion
In conclusion, both Azure Managed Identity and SAS Token authentication methods offer secure ways to upload blob files to Azure Storage from API Management.
Azure Managed Identity provides seamless authentication and eliminates the need to store and manage credentials, improving security. It allows for granular access control through RBAC and is suitable for permanent permission scenarios. However, it is limited to Azure services and requires dependency on Azure AD.
SAS Token authentication offers greater flexibility with temporary access and fine-grained control over permissions. It allows for the generation of tokens with specific expiration dates, providing enhanced security. However, SAS token management can be more complex, requiring manual generation and distribution of tokens.
When choosing between the two methods, consider the longevity of permissions needed and the level of control required. Azure Managed Identity is ideal for long-term permissions. Assess your specific use case to determine the most secure and convenient authentication approach for uploading blob files to Azure Storage from API Management.
Published on:
Learn moreRelated posts
Enhancing Azure Files resilience and performance
Azure Files provides the best-in-class fully managed file share solution in the cloud. We are excited to showcase several new capabilities, so...
Secure Access to Your Azure Virtual Machines for Free with Bastion Developer
As Microsoft Azure continues to evolve to accommodate its expanding user community, we are pleased to release a groundbreaking offering in res...
Faster server onboarding and disaster recovery with Azure File Sync (Public Preview)
We are excited to announce the public preview of faster server onboarding and disaster recovery. This will significantly accelerate customer o...
Log Analytics Cost Savings with Azure Advisor
Coding at the Speed of Innovation: AI and more with Azure SQL Database
The Azure SQL Database team is all set to unveil new product announcements as Build 2024 approaches. Innovation is the prominent theme this ti...
Generate insights from audio and video data using Speech analytics in Azure AI Studio
In this video, we explore the power of speech analytics in Azure AI Studio to extract insights from audio and video data. This technology help...
Azure Custom Policy- PostgreSQL Product - Compliance Report not Available- New Feature Request
If you're attempting to create custom policies for Azure Cosmos DB for PostgreSQL at the subscription level and are running into issues where ...
Microsoft Causes Fuss Around Azure MFA Announcement
Microsoft's recent announcement regarding the requirement of Azure MFA for connections to services starting in July 2024 has caused quite a st...
PostgreSQL for your AI app's backend | Azure Database for PostgreSQL Flexible Server
If you want to use Postgres as a managed service on Azure and build generative AI apps, then the Azure Database for Postgres Flexible Server i...