Does Azure Shared Access Signature mean anyone can access my blobs?

Question

I am writing a backup service to backup a SQL database and save it in cloud storage. I have actually implemented this already with Amazon S3 but as the application will be distributed to customers, I cannot have the API keys stored with the application. I considered using a web service to provide the keys, but it's not my best option at this time (Because it still leaves the possibility of keys being stolen.)

So I was looking into Windows Azure, the Blob Service and saw they have these Shared Access Signatures that can be used to provide access to resources in the cloud. You can also use the signature to put blobs in the cloud. But reading through the MSDN docs, I can't help but think this is an insecure system. Anyone who knows 1. the exact names of containers for my account and 2. how to form the signature will be able to access the objects. You do not need a secret key when using this signature. At least that is my impression reading the docs.

So finally to my question. Am I correct in my assessment of the shared access signatures with Azure, if not, why? And can anyone suggest an alternative way of doing what I am trying to accomplish.

Answer 1

Shared Access Signatures can be scoped at either a specific container or a specific blob. They can then specify what permissions they give (read, write, list blobs), and they can specify how long they're valid.

The only way to create a SAS is to have the storage key, but anyone who has the SAS can use it to do what it allows them to.

It sounds like you want to allow all your customers to write blobs but not read them? If so, a SAS that only specifies write permissions should do the trick.

But I assume you also want to limit (or meter) usage by individually customers? If so, you'll probably need something active on the server (a web service?) that authorizes each use and generates a specific, short-expiry SAS to allow that operation. Then you can track and bill for each use.