Role-Based Access for Storage Account
Disclaimer: The following is my sole opinion and does not necessarily reflect those of my current employer.
As we all are aware that the birth of PaaS services is HTTP and OAuth model.
Which also roughly translate that you need a strong key of the Azure Resource to be able to do Create/Read/Delete/Update (CRUD).
So hanging off your data on a strong key in public is not a good security posture. I will talk Security later as it's a big topic [stay tuned]. Also, the identity using a key is not captured/audited. i.e It harder to differentiate that key was used by a web app or a human. That's where KeyVault addresses security and audit to some more extent.
Thanks to Microsoft to in-cooperating the AD ability to Storage account directly i.e you can use OOTB Role(s)
Storage Blob Data Contributor
But the current roles only allow Blob, Container, Queue & Messages only.
It would be nice Microsoft to extend that same language to FileShare & Tables too.
Join me in voting in UserVoice.
Happy to be corrected with your suggestions/comments.
thanks
Comments
Post a Comment