Azure Storage Account - Container level access and ACL

Question

Azure Storage Account

In one of our use case, we would like to use Azure Storage for sharing it with customers so that they can upload their data to us. In that context, we are planning to create storage account per customer. In order for customer to access the account, we are planning to share the storage account keys.

We are facing following issues

1. How to create keys specific to azure storage account container, so that customer can only access specific container.
2. Is it possible to have individual keys and access at container level.
   • For certain container, we want to give read-write access.
   • For others, we want to give only read access.
3. If i have storage account keys, does that mean i have access to everything under that storage account.

Is there a better solution to this ? Essentially we need a ftp site for customers to upload data.

Answer 1

Sounds like you want to use a shared access signature (SAS):

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.

Answer 2

You can't have access key for a container level, there are for the whole Storage Account

To give access at a container level (or even finer grain) you need a Shared Access Signature. Documentation here

You can have as many SAS as you need, and you are allowed to define them with the desired permissions (read, read-write etc...)