Understanding Azure Storage Container Security and Access

Author

Posted Nov 18, 2024

Reads 1.1K

Cargo Container Lot
Credit: pexels.com, Cargo Container Lot

Azure Storage Container Security and Access is a crucial aspect of managing your data in the cloud. Access control is enforced at the container level, allowing you to restrict access to specific users or groups.

To grant access to a container, you can use Azure RBAC (Role-Based Access Control) or Shared Access Signatures (SAS). Azure RBAC is a built-in authorization system that allows you to manage access to Azure resources at scale.

Azure RBAC roles can be assigned to users or groups, granting them specific permissions to read, write, or delete data in a container. There are several built-in roles, including Owner, Contributor, and Reader.

For more granular control, you can use Shared Access Signatures (SAS) to grant temporary access to a container. SAS tokens can be used to restrict access to specific operations, such as read or write, and can be set to expire after a specified time period.

Setting Up Azure Storage Container

Credit: youtube.com, Getting started with Azure Container Storage

To set up an Azure Storage Container, you'll need to create a new storage account first. This can be done through the Azure portal or using the Azure CLI.

Azure Storage Containers are a type of blob storage, which means you can store unstructured data such as images, videos, and documents. You can access the container using its URL.

To create a new container, navigate to the Azure portal and select the storage account where you want to create the container. Click on "Containers" and then click on the "New container" button.

Each container can have a unique name, and you can also specify a public access level for the container, such as "blob" or "container". This determines how users can access the container and its contents.

You can also configure the container's access policies, including the ability to set permissions for specific users or groups. This is done through the Azure portal's access control settings for the storage account.

Take a look at this: Chipotle Containers Made

Authorization and Security

Credit: youtube.com, Azure Storage AD RBAC Authentication | Role Based Access Configuration

Authorization with Microsoft Entra ID requires Azure RBAC built-in role Storage Blob Data Contributor or higher for creating a container.

To use Shared Access Signatures (SAS), your SAS token must contain specific permissions, including 'Blob' and 'File' service, 'Service', 'Container', and 'Object' resource types, and 'Read', 'Write', 'Delete', 'List', 'Create', 'Add', 'Update', and 'Immutable storage' permissions.

A SAS URL can be either an account level or container level URL, obtained from the Azure portal or Azure Storage Explorer. You can get a container level SAS URL by right-clicking on a container in the Azure Blob explorer in the Azure portal.

To use a container level SAS URL with rclone, you must leave the account and key blank and fill in the sas_url. This will only permit operations on a particular container, and you cannot see or access any other containers.

Here are the required permissions for a SAS token:

  • Blob' and 'File' service.
  • Service', 'Container', and 'Object' resource types.
  • Read', 'Write', 'Delete', 'List', 'Create', 'Add', 'Update', and 'Immutable storage' permissions.
  • Blob versioning permissions

Authorization

Authorization is a crucial aspect of ensuring secure access to your Azure Blob Storage containers. You'll need to grant the necessary permissions to create a container, and for authorization with Microsoft Entra ID, you'll need Azure RBAC built-in role Storage Blob Data Contributor or higher.

Credit: youtube.com, Authentication vs Authorization Explained

To authenticate with Azure Blob Storage, you can use a variety of methods, including supplying credentials directly or using a Shared Access Signature (SAS) token. Rclone, for example, tries to authenticate using the account and key lines first, but you can also use a SAS token for more flexibility.

A SAS token can contain a range of permissions, including 'Blob' and 'File' service, 'Service', 'Container', and 'Object' resource types, as well as 'Read', 'Write', 'Delete', 'List', 'Create', 'Add', 'Update', and 'Immutable storage' permissions. To use the integration use-cases, your SAS token should include these permissions.

You can obtain a SAS URL from the Azure portal or the Azure Storage Explorer, which can be used to grant temporary access to a single container or an untrusted environment. A container level SAS URL, for instance, will only permit operations on a particular container and cannot be used to access other containers.

Here are the different types of authentication methods supported by Rclone:

If you're using a SAS URL, you can specify it using the `--azureblob-sas-url` flag, which takes a string value for the SAS URL. Alternatively, you can use the `--azureblob-env-auth` flag to read credentials from the runtime environment, which can be set to `true` to enable this feature.

Block Public Access

Credit: youtube.com, Authentication, Authorization, and Accounting - CompTIA Security+ SY0-701 - 1.2

You can block public access to a container using Azure Storage. To do this, you need to specify the container name.

The `azure-storage-container-block-public-access` command requires the container name as an argument. You can use the following syntax: `!azure-storage-container-block-public-access container_name="xsoar"`. This will block public access to the container named 'xsoar'.

Public access can be set to either 'blob' or 'container' level, depending on your needs. The `--azureblob-public-access` option allows you to configure the public access level of a container. It has a string type and can be set to either 'blob' or 'container'.

Username

In terms of username configuration, you have the option of using a specific username for Azure Blob storage. This is done through the 'username' config option.

The username can also be set through an environment variable called RCLONE_AZUREBLOB_USERNAME. This is a convenient way to pass the username to the application without hardcoding it.

The type of this configuration option is a string, which means you'll need to enter a text value. It's worth noting that this option is not required, so you can leave it blank if you don't have a specific username in mind.

Here's a quick reference to the username configuration options:

  • Config: username
  • Env Var: RCLONE_AZUREBLOB_USERNAME
  • Type: string
  • Required: false

Password

Credit: youtube.com, "Basic Authentication" in Five Minutes

Password is a crucial aspect of authorization and security. It's a string that's used to authenticate and authorize access to various services.

The password for Azure Blob can be configured directly, but it's not required. You can also set it as an environment variable named RCLONE_AZUREBLOB_PASSWORD.

Here's a quick reference for password configuration:

  • Config: password
  • Env Var: RCLONE_AZUREBLOB_PASSWORD
  • Type: string
  • Required: false

Remember, security is all about balance. Having a password is better than not having one, but it's essential to weigh the convenience of easy access against the potential risks of unauthorized access.

Accounts

In Azure, a storage account serves as a unique namespace for your data, and every object you store has an address that includes your account name.

Every object that you store in Azure Storage has an address that includes your unique account name. The combination of the account name and the Blob Storage endpoint forms the base address for the objects in your storage account.

The default endpoint for Blob Storage is determined by your storage account name, for example, mystorageaccount.

Credit: youtube.com, Security: Authentication, Authorization, and Accounting | Google IT Support Certificate

Azure supports three types of storage accounts for Blob Storage: General-purpose v2, Block blob, and Page blob.

Here are the details of each type of storage account:

Container Configuration

A container in Azure Storage is essentially a directory that holds a set of blobs. You can have an unlimited number of containers in a storage account, and each container can store an unlimited number of blobs.

To name a container, you need to follow some rules. Container names can be between 3 and 63 characters long, must start with a letter or number, and can contain only lowercase letters, numbers, and the dash (-) character. Two or more consecutive dash characters aren't permitted in container names.

The URI for a container is similar to https://myaccount.blob.core.windows.net/mycontainer.

A unique perspective: Shipping Container Homes

Install Packages

When working with container configuration, you need to install the necessary packages to interact with Azure services.

To install packages, navigate to your project directory.

From there, use the dotnet add package command to install the Azure Blob Storage and Azure Identity client libraries.

The Azure.Identity package is a must-have for passwordless connections to Azure services.

Additional reading: Azure Data Storage Options

Client Object

Credit: youtube.com, Containers- Container Settings

To connect an app to Blob Storage, you need to create an instance of BlobServiceClient. This is done using DefaultAzureCredential for authorization.

You can register a service client for dependency injection in a .NET app. This allows you to easily manage and reuse the client object throughout your application.

Creating client objects for specific containers or blobs is also possible. To do this, you would create a client object for the container or blob, allowing you to interact with it directly.

Configure on Cortex XSOAR

To configure an Azure Storage Container on Cortex XSOAR, start by navigating to Settings > Integrations > Servers & Services. From there, search for Azure Storage Container and click Add instance to create and configure a new integration instance.

You'll need to fill in some parameters, including Storage account name, which is required. This is the name of your Azure Storage account.

You'll also have the option to enter an Account SAS Token, but this is not required. Similarly, you can choose to Use Azure Managed Identities, but this is also not required.

High-tech server rack in a secure data center with network cables and hardware components.
Credit: pexels.com, High-tech server rack in a secure data center with network cables and hardware components.

Here are the parameters you'll need to fill in, along with their required status:

Once you've filled in the required parameters, click Test to validate the URLs, token, and connection.

Access Tier

If you're using Azure Blob Storage with rclone, you'll need to configure the access tier for your blobs.

The access tier determines how your blobs are stored and accessed. You can choose from hot, cool, cold, or archive.

If you don't specify an access tier, rclone won't apply any tier, and you'll need to configure it manually.

To configure the access tier, you can use the access_tier config option or the RCLONE_AZUREBLOB_ACCESS_TIER environment variable.

The access tier can be set to hot, cool, cold, or archive, and it's required for archived blobs to be restored.

Here are the ways to configure the access tier:

  • Config: access_tier
  • Env Var: RCLONE_AZUREBLOB_ACCESS_TIER
  • Type: string
  • Required: false

Keep in mind that if you set the access tier to archive, you won't be able to perform data transfer operations from the remote storage. You'll need to restore the blob by setting the access tier to hot, cool, or cold first.

Containers

Credit: youtube.com, you need to learn Docker RIGHT NOW!! // Docker Containers 101

A container is like a directory in a file system, organizing a set of blobs. Containers can store an unlimited number of blobs, and a storage account can include an unlimited number of containers.

A container name must be a valid DNS name, which forms part of the unique URI used to address the container or its blobs. To name a container, follow these rules: container names can be between 3 and 63 characters long, they must start with a letter or number, and can contain only lowercase letters, numbers, and the dash (-) character.

Two or more consecutive dash characters aren't permitted in container names. The URI for a container looks like this: https://myaccount.blob.core.windows.net/mycontainer.

Here are the naming rules for containers in a concise format:

Endpoint

When configuring your container, you'll want to pay attention to the endpoint. The endpoint for the service can be specified in the config or through an environment variable.

Credit: youtube.com, Understanding Private Endpoints in Azure | VM, VNet, Service Endpoint, and Storage Account Demo

You can set the endpoint through the RCLONE_AZUREBLOB_ENDPOINT environment variable. This allows you to customize the endpoint without modifying the config file.

The endpoint is a required field, but it can be omitted if you're not using it. In this case, you can simply leave the field blank.

Here's a summary of the endpoint options:

  • Config: endpoint
  • Env Var: RCLONE_AZUREBLOB_ENDPOINT
  • Type: string
  • Required: false

Chunk Size

Chunk size is an important setting for optimizing performance when working with Azure Blob storage. The default chunk size is 4Mi, which can be adjusted using the `--azureblob-chunk-size` flag or the `RCLONE_AZUREBLOB_CHUNK_SIZE` environment variable.

This setting determines the size of each chunk stored in memory, and it's worth noting that up to `--transfers` * `--azureblob-upload-concurrency` chunks may be stored at once. This can have a significant impact on memory usage, so it's essential to choose a chunk size that balances performance with memory constraints.

You can adjust the chunk size to suit your needs, but be aware that larger chunk sizes can improve upload performance at the cost of increased memory usage.

Frequently Asked Questions

What is container storage in Azure?

Azure Container Storage is a cloud service that helps manage storage volumes for container applications, allowing them to run anywhere on Kubernetes. It's a native solution for stateful containers, ideal for production-scale deployments.

What is the difference between container and blob in Azure storage?

In Azure Storage, a container is a collection of related data, while a blob is a single entity of binary data with properties and metadata. Think of a container as a folder and a blob as a file within it.

What is the difference between container and folder in Azure?

In Azure Blob Storage, a container is a top-level object that holds an unlimited number of blobs, while a folder is a virtual directory within a container that can also contain other folders and blobs. This key difference helps you organize and structure your data effectively in Azure.

Gilbert Deckow

Senior Writer

Gilbert Deckow is a seasoned writer with a knack for breaking down complex technical topics into engaging and accessible content. With a focus on the ever-evolving world of cloud computing, Gilbert has established himself as a go-to expert on Azure Storage Options and related topics. Gilbert's writing style is characterized by clarity, precision, and a dash of humor, making even the most intricate concepts feel approachable and enjoyable to read.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.