有没有一种安全的方式来为Azure存储容器提供用户共享访问签名令牌?

huangapple go评论57阅读模式
英文:

Is there a secure way to provide users with Shared Access Signature Tokens for Azure Storage containers?

问题

我的API允许用户上传和下载文件到我的Azure存储帐户。为了做到这一点,他们需要一个SAS令牌,其权限基于他们是否想要下载或上传文件。我在想是否有一种安全的方法可以向用户提供这些令牌,而不是通过更不安全的方法,比如电子邮件传递。

编辑以澄清:

我计划有数百名用户访问我的Azure存储帐户。我原本计划通过Azure自身生成我的令牌,但我一直在考虑是在API内部生成SAS令牌还是在单独的Azure函数中生成它。我的API使用NodeJS的Azure函数。

英文:

My API allows users to upload and download files to my Azure Storage account. To do this, they need a SAS token with permissions based on if they want to download or upload a file. I was wondering if there was a secure method to provide users with these tokens, other than sending it through more unsecure methods such as email.

Edit for Clarification:

I plan on having hundreds of users accessing my Azure Storage account. I was planning on generating my token through Azure itself but I have been considering generating the SAS token inside of the API or in a separate Azure Function. My API uses an Azure Function with NodeJS.

答案1

得分: 1

Proposal 1: 您可以在您的存储帐户上创建一个新的Azure函数作为代理来进行上传/下载操作。由于受托管标识管理,您不必提供SAS令牌。Azure函数上的用户授权将确保在用户不再被授权时移除权限。

Proposal 2: 您可以使用Azure函数创建一个SAS令牌,并将其发送给应用程序内的用户(可以对用户透明)。这将使您能够创建一个具有短生命周期的SAS令牌。如果客户端和服务器之间使用TLS进行通信,它将确保安全传输您的令牌。

英文:

Proposal 1: You can create a new Azure function as a proxy on your storage account for uploading/downloading. Thanks to managed identity, you won't have to provide a SAS token. User authorization on the Azure Function will ensure that the permission is removed when the user is no longer authorized.

Proposal 2: You can create a SAS token with an Azure Function and send it to the user inside your application (can be transparent to the user). This will enable you to create a SAS token with a short lifetime. If communication between clients and server uses TLS, it will guarantee secure transmission of your token.

huangapple
  • 本文由 发表于 2023年6月1日 22:50:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/76383169.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定