Description
Currently, Athens supports Azure Blob Storage as a storage backend but only supports authenticating to that storage account via a storage account key (as documented here). In some environments (usually due to security concerns) the usage of SAS tokens is encouraged (as they have a limited lifetime, and can be narrowed down to specific roles and scopes); support for such configuration would only require some slightly different authentication process.
A potential solution might look like this:
# StorageType sets the type of storage backend the proxy will use.
# Env override: ATHENS_STORAGE_TYPE
StorageType = "azureblob"
[Storage]
[Storage.AzureBlob]
# Storage Account name for Azure Blob
# Env override: ATHENS_AZURE_ACCOUNT_NAME
AccountName = "MY_AZURE_BLOB_ACCOUNT_NAME"
# SAS token to use with the storage account
# Env override: ATHENS_AZURE_SAS_TOKEN
SasToken = "MY_AZURE_BLOB_SAS_TOKEN"
# Name of container in the blob storage
# Env override: ATHENS_AZURE_CONTAINER_NAME
ContainerName = "MY_AZURE_BLOB_CONTAINER_NAME"
Currently, there's no alternative to SAS tokens. In my environment, the only solution was to create a dedicated storage account to Athens where an exception to the security policy could be made (the exception being a storage account where account keys are used instead of SAS tokens).
Additional details:
- There's a lot of confusion between SAS tokens, SAS URLs (specifically Blob SAS URL) and connection strings in Azure storage account. It would be nice to support all three options in a user-friendly fashion (e.g., support the configuration of storage name + container + SAS token OR the configuration of a connection string OR the configuration of a Blob SAS URL + container name