How can we improve Azure Storage?

Allow SASKey generation without revealing storage keys

I would like to be able to allow authorized users to generate SAS keys but not see (list) the storage account primary (master) keys. If someone is in possession of a master key, you cannot stop data exfiltration (until you become aware and change the keys). As least with an SAS key, the act of creating it can be detected (e.g., if they create an SAS token without a proper IP address restriction, etc.). Furthermore, the act of creating an SAS key is logged in the Azure Activity log.

So I would like to suggest defining a new RBAC action Microsoft.Storage/storageAccounts/createSas/action which would allow a user to generate a SAS key but not see the storage primary keys. Having this permission would also allow users to still create and access data in storage accounts without needing the Microsoft.Storage/storageAccounts/listkeys/action permission. (since they technically have access via SAS keys anyway).

3 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Lester WatersLester Waters shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base