Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for authentication to Azure Blob Storage using a SAS token #1813

Open
edoboker opened this issue Jan 18, 2023 · 3 comments
Open

Support for authentication to Azure Blob Storage using a SAS token #1813

edoboker opened this issue Jan 18, 2023 · 3 comments
Labels
enhancement New feature or request good first issue Great issues for new Athenians to work on!
Milestone
0.13.x thereafter

Comments

@edoboker
Copy link

Currently, Athens supports Azure Blob Storage as a storage backend but only supports authenticating to that storage account via a storage account key (as documented here). In some environments (usually due to security concerns) the usage of SAS tokens is encouraged (as they have a limited lifetime, and can be narrowed down to specific roles and scopes); support for such configuration would only require some slightly different authentication process.

A potential solution might look like this:

# StorageType sets the type of storage backend the proxy will use.
# Env override: ATHENS_STORAGE_TYPE
StorageType = "azureblob"

[Storage]
    [Storage.AzureBlob]
        # Storage Account name for Azure Blob
        # Env override: ATHENS_AZURE_ACCOUNT_NAME
        AccountName = "MY_AZURE_BLOB_ACCOUNT_NAME"

        # SAS token to use with the storage account
        # Env override: ATHENS_AZURE_SAS_TOKEN
        SasToken = "MY_AZURE_BLOB_SAS_TOKEN"

        # Name of container in the blob storage
        # Env override: ATHENS_AZURE_CONTAINER_NAME
        ContainerName = "MY_AZURE_BLOB_CONTAINER_NAME"

Currently, there's no alternative to SAS tokens. In my environment, the only solution was to create a dedicated storage account to Athens where an exception to the security policy could be made (the exception being a storage account where account keys are used instead of SAS tokens).

Additional details:

  1. There's a lot of confusion between SAS tokens, SAS URLs (specifically Blob SAS URL) and connection strings in Azure storage account. It would be nice to support all three options in a user-friendly fashion (e.g., support the configuration of storage name + container + SAS token OR the configuration of a connection string OR the configuration of a Blob SAS URL + container name
@aleeekhaan
Copy link

Hi, I would like to work on this.

@DrPsychick
Copy link
Member

Hi, I would like to work on this.

That would be great, @aleeekhaan.
As we don't have Azure blob storage currently to test with, it would be important that you test as much as you can on your side.

@aleeekhaan
Copy link

Sure. Will do.

@DrPsychick DrPsychick added this to the 0.13.x thereafter milestone May 7, 2023
@matt0x6F matt0x6F added good first issue Great issues for new Athenians to work on! enhancement New feature or request labels Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Great issues for new Athenians to work on!
Projects
None yet
Milestone
0.13.x thereafter
Development

No branches or pull requests
4 participants
@matt0x6F @edoboker @DrPsychick @aleeekhaan