URL to access private blob in Azure Storage

ATV Source

We're just getting started with Azure Storage. In our scenario we upload to private blobs that we later need to access directly from our client app, e.g. images.

Is there a way to address private blobs in Azure Storage with a URL containing the access key?

Sifting through the MS docs all I could find so far is simple URL access via the blob URI, e.g. as given by the URI property of the CloudBlockBlob instance when listing blobs via the .net API.

Naturally accessing this from a web browser fails due to the blob not being public.
However, can we qualify the URL to also include the access key in order to allow authorized clients to access the blob..?

c#azureblobazure-storageazure-storage-blobs

Answers

answered 8 months ago Alex AIT #1

This is the API for how you read blobs from storage:

https://docs.microsoft.com/en-us/rest/api/storageservices/get-blob

There is no URL-Parameter to pass the access key, only the header value Authorization. So you could do the request manually and e.g. add the resulting data as a base64 encoded image. I would advise against it if at all possible.

You must also be aware that by passing your access key to the client, you are effectively making your blob public anyways. You would be putting your data at more risk than anonymous access, since the access key allows more operations than anonymous access. This would also hold true for your objective-c app, even though its much more obfuscated there. SAS is the way to go there - create a backend service that creates a defined set of SAS tokens for given resources. It is however much more effort than simply obfuscating the full access key somewhere.

See "Features available to anonymous users":

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources

comments powered by Disqus