This will be a short post on the subject on how to upload files to Azure Blob Storage without sharing the key or making the storage container public. This technique has been used in many projects that I’ve worked on over the years so I thought its time to share it. The trick is to use Shared Access Signatures (SAS) to limit access to what is just needed. The second part of the trick is to issue the SAS-Token just-in-time so that you avoid building unnecessary and complex code handing them out.
Upload a file from a browser to Azure Blob Storage
You can see that I create the dummy file having with a name consisting of the clients IP address combined with a guid. The reason for this is that I later process all files that the same IP address have uploaded.
Once the SAS-Token is received, the upload action starts and the progress meter tells you how you are doing in the chunked upload. As a bonus, I measure upload speed (which wasn’t so great from the hotel wifi I was using at the time).
Renaming the file when it is uploaded
When the upload is complete, we have to rename the file to it’s real name, since it has a temporary name consisting of the IP address and a guid. The real name of the file and in what folder I should be stored it is passed as http request header attributes in the REST API calls we make. Doing that makes them appear as metadata attributes on the blob file. You could extend this to pass more data together with the upload.
This means that when we process the upload, we can look into the metadata of the blob and know what the file should be named and where it should be stored. You could extend this to include a Title and Description attributes of the video file, etc, in order to meet the needs of your post processing.
The post process after the upload could be starting a media services encoding job or moving your file to some part of a digital asset management system. In my case, I just move the blob from the upload container to the container selected by the user.
When ingesting data to Azure Storage, you should not share the storage accounts key with anything that is external that you do not have direct control over, since you are really giving away full access to that storage account. You should use SAS-Tokens that only give the access needed and that only are valid for a certain time. In my case it was 30 minutes, but it may even shorter och perhaps a token valid for many months.
Generating the tokens is easy and it is quite possible to do it just-in-time for specific purposes, like the upload of a file, to reduce the burden of having some admin code part granting tokens where needed. Of course, you must have authentication somewhere to protect who’s creating the SAS-tokens and my web app should really have been forcing the user to login to be able to upload.
Shared Access Signatures documentation
Storage REST API Put Block documentation