英文:
Is there a secure way to provide users with Shared Access Signature Tokens for Azure Storage containers?
问题
我的API允许用户上传和下载文件到我的Azure存储帐户。为了做到这一点,他们需要一个SAS令牌,其权限基于他们是否想要下载或上传文件。我在想是否有一种安全的方法可以向用户提供这些令牌,而不是通过更不安全的方法,比如电子邮件传递。
编辑以澄清:
我计划有数百名用户访问我的Azure存储帐户。我原本计划通过Azure自身生成我的令牌,但我一直在考虑是在API内部生成SAS令牌还是在单独的Azure函数中生成它。我的API使用NodeJS的Azure函数。
英文:
My API allows users to upload and download files to my Azure Storage account. To do this, they need a SAS token with permissions based on if they want to download or upload a file. I was wondering if there was a secure method to provide users with these tokens, other than sending it through more unsecure methods such as email.
Edit for Clarification:
I plan on having hundreds of users accessing my Azure Storage account. I was planning on generating my token through Azure itself but I have been considering generating the SAS token inside of the API or in a separate Azure Function. My API uses an Azure Function with NodeJS.
答案1
得分: 1
Proposal 1: 您可以在您的存储帐户上创建一个新的Azure函数作为代理来进行上传/下载操作。由于受托管标识管理,您不必提供SAS令牌。Azure函数上的用户授权将确保在用户不再被授权时移除权限。
Proposal 2: 您可以使用Azure函数创建一个SAS令牌,并将其发送给应用程序内的用户(可以对用户透明)。这将使您能够创建一个具有短生命周期的SAS令牌。如果客户端和服务器之间使用TLS进行通信,它将确保安全传输您的令牌。
英文:
Proposal 1: You can create a new Azure function as a proxy on your storage account for uploading/downloading. Thanks to managed identity, you won't have to provide a SAS token. User authorization on the Azure Function will ensure that the permission is removed when the user is no longer authorized.
Proposal 2: You can create a SAS token with an Azure Function and send it to the user inside your application (can be transparent to the user). This will enable you to create a SAS token with a short lifetime. If communication between clients and server uses TLS, it will guarantee secure transmission of your token.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论