question

bombbe avatar image
0 Votes"
bombbe asked VaibhavChaudhari commented

Access to Storage Account

Hello,
If I have Storage Account with network configuration "access from all networks" do this mean everybody can read or even download blobs (private) inside storage account from everywhere or do they still need sas or access keys?

azure-storage-accountsazure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VaibhavChaudhari avatar image
1 Vote"
VaibhavChaudhari answered VaibhavChaudhari commented

Right, users would need access to Azure subscription and some role like reader, contributor or SAS or Access keys to access storage account.

Some org have strict policies where they implement extra layer of security in such a way that only users belonging to specific network or under IP can access to storage account.

Read - https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal


Please don't forget to Accept Answer and Up-vote if the response helped -- Vaibhav

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, so even tho storage account would be accessible from "all networks" it do not really mean it. I mean if you don't have SAS token, Access keys or role to storage account you have no access to files in storage accounts (even read it).

0 Votes 0 ·

Right, you got it.

0 Votes 0 ·
learn2skills avatar image
0 Votes"
learn2skills answered

Hi @bombbe

You should configure rules that grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications. Once network rules are applied, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but don't grant new access beyond configured network rules.

An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.

Refer - https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal


If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.