Using a SAS token is preferable, as it provides restricted access (scope wise and permission wise) to parts of the storage account (e.g. only the container used for backup), instead of providing all access to the entire storage account. Currently, the AzureSpec only exposes the accountKeySecretRef, it would be nice if something similar could be done for the SAS token.
Summary
As a security-aware user, I want to be able to use Azure SAS tokens So that I can limit the required access to the storage account to a minimum
Context
Restic does support multiple ways of authenticating against Azure, two of which are likely to be relevant for K8up:
AZURE_ACCOUNT_KEYorAZURE_ACCOUNT_SAS.Using a SAS token is preferable, as it provides restricted access (scope wise and permission wise) to parts of the storage account (e.g. only the container used for backup), instead of providing all access to the entire storage account. Currently, the
AzureSpeconly exposes theaccountKeySecretRef, it would be nice if something similar could be done for the SAS token.Out of Scope
No response
Further links
https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#microsoft-azure-blob-storage
Acceptance Criteria
No response
Implementation Ideas
No response