![]() For more information about using the DefaultAzureCredential class to authorize a managed identity to access Blob Storage, see Azure Identity client library for. To get a token credential that your code can use to authorize requests to Blob Storage, create an instance of the DefaultAzureCredential class. Install packagesĪdd the following using directives: using Azure To work with the code examples in this article, follow these steps to set up your project. For information about assigning permissions via Azure RBAC, see Assign an Azure role for access to blob data. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Use discretion in distributing a SAS, and have a plan in place for revoking a compromised SAS.įor more information about shared access signatures, see Grant limited access to Azure Storage resources using shared access signatures (SAS). It's important to protect a SAS from malicious or unintended use. For more information about the user delegation SAS, see Create a user delegation SAS.Īny client that possesses a valid SAS can access data in your storage account as permitted by that SAS. When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS for superior security. Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. A SAS secured with Azure AD credentials is called a user delegation SAS, because the OAuth 2.0 token used to sign the SAS is requested on behalf of the user. About the user delegation SASĪ SAS token for access to a container or blob may be secured by using either Azure AD credentials or an account key. This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a blob using the Azure Storage client library for. For more information, see Grant limited access to data with shared access signatures (SAS). Microsoft recommends using a user delegation SAS when possible. To learn more, see Create a service SAS or Create an account SAS.Ī user delegation SAS offers superior security to a SAS that is signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the Microsoft.Storage/storageAccounts/listkeys/action permission. Both a service SAS and an account SAS are signed with the storage account key. To learn more, see Create a user delegation SAS. ![]() A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. ![]() A SAS that is signed with Azure AD credentials is a user delegation SAS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |