Azure blob storage: use SAS token instead of storage account key?

[jcmrva]

MS kind of discourages using the keys for anything: https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#protect-your-access-keys

It would be great if we could use a shared access token instead b/c they can be scoped to the container. Are there any technical issues blocking that?

I should be able to work on this but not for a week or so.

[icidasset]

Hey! Thanks for creating this issue. I'm not entirely sure what shared access tokens are exactly.

I saw that you can generate a "shared access signature" in the portal, which looks very similar to what we're generating here in the Diffuse: https://github.com/icidasset/diffuse/blob/b5133ee70cbc43d09baea0756871534288f6acfd/src/Library/Sources/Services/Azure/Authorization.elm#L152-L165

So I'm guessing that it's the same as that, but just generated ahead of time?

We could change the following: https://github.com/icidasset/diffuse/blob/b5133ee70cbc43d09baea0756871534288f6acfd/src/Library/Sources/Services/AzureFile.elm#L47-L48

to something like:

{ key = "accountKeyOrToken"
, label = "Account key, or SAS token"

And then use the token instead of the signature Diffuse generates? Honestly not sure if that'll work though, but definitely worth to try 👍

Resources:

• https://learn.microsoft.com/en-us/azure/cognitive-services/translator/document-translation/create-sas-tokens?source=recommendations&tabs=Containers#create-sas-tokens-with-azure-storage-explorer
• https://learn.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature

[jcmrva]

So I'm guessing that it's the same as that, but just generated ahead of time?

Looks like it! I've actually never seen them generated this way.

I'm not sure they can be distinguished from each other programmatically. It might need a [ ] SAS token checkbox or something.

[icidasset]

Yeah, I wanted to emulate the Amazon S3 presigned url behaviour. Don't remember if this was only option or not. Anyhow, looks like a SAS token is easy to recognise because it starts with a ? character. And even if that's missing, it should still look like a query string, so you can recognise it that way. The account key is base64, so if has any character not belonging to the base64 character set, it'll be the SAS token (ie. the & and = characters)

I don't have much time to work on this project, so any PRs are very welcome ☺️