search

gomods / athens

A Go module datastore and proxy
https://docs.gomods.io
MIT License
4.38k stars 492 forks source link

Support for authentication to Azure Blob Storage using a SAS token #1813

Open edoboker opened 1 year ago

edoboker commented 1 year ago

Currently, Athens supports Azure Blob Storage as a storage backend but only supports authenticating to that storage account via a storage account key (as documented here). In some environments (usually due to security concerns) the usage of SAS tokens is encouraged (as they have a limited lifetime, and can be narrowed down to specific roles and scopes); support for such configuration would only require some slightly different authentication process.

A potential solution might look like this:

# StorageType sets the type of storage backend the proxy will use.
# Env override: ATHENS_STORAGE_TYPE
StorageType = "azureblob"

[Storage]
    [Storage.AzureBlob]
        # Storage Account name for Azure Blob
        # Env override: ATHENS_AZURE_ACCOUNT_NAME
        AccountName = "MY_AZURE_BLOB_ACCOUNT_NAME"

        # SAS token to use with the storage account
        # Env override: ATHENS_AZURE_SAS_TOKEN
        SasToken = "MY_AZURE_BLOB_SAS_TOKEN"

        # Name of container in the blob storage
        # Env override: ATHENS_AZURE_CONTAINER_NAME
        ContainerName = "MY_AZURE_BLOB_CONTAINER_NAME"

Currently, there's no alternative to SAS tokens. In my environment, the only solution was to create a dedicated storage account to Athens where an exception to the security policy could be made (the exception being a storage account where account keys are used instead of SAS tokens).

Additional details:

  1. There's a lot of confusion between SAS tokens, SAS URLs (specifically Blob SAS URL) and connection strings in Azure storage account. It would be nice to support all three options in a user-friendly fashion (e.g., support the configuration of storage name + container + SAS token OR the configuration of a connection string OR the configuration of a Blob SAS URL + container name
aleeekhaan commented 1 year ago

Hi, I would like to work on this.

DrPsychick commented 1 year ago

Hi, I would like to work on this.

That would be great, @aleeekhaan. As we don't have Azure blob storage currently to test with, it would be important that you test as much as you can on your side.

aleeekhaan commented 1 year ago

Sure. Will do.