Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API should generate Airlock SAS with User Delegated Key #2390

Closed
3 tasks
tamirkamara opened this issue Aug 2, 2022 · 0 comments · Fixed by #2460
Closed
3 tasks

API should generate Airlock SAS with User Delegated Key #2390

tamirkamara opened this issue Aug 2, 2022 · 0 comments · Fixed by #2460
Assignees
@LizaShak
Labels
airlock api Composition Service API story Stories are the smallest unit of work to be done for a project.

Comments

@tamirkamara
Copy link
Collaborator

Description

As a TRE Developer
I want to generate airlock sas tokens for users with User Delegated Key
So that I won't use account keys and operation will be more secure

** See how the Airlock processor does this
** This will require the API identity to have blob read and write permission on the relevant storage accounts since Auth is intersection of the sas embedded permission and those on the user delegated key that created it. On first glance it might not look as a security improvement but it is - not using the static account key is the improvement as having it gave the holder (api) full access to the entire storage account.

Acceptance criteria

  • API doesn't use account keys
  • API doesn't have Read Data Access permission on core or the workspace
  • SAS is generated and working
@tamirkamara tamirkamara added api Composition Service API story Stories are the smallest unit of work to be done for a project. airlock labels Aug 2, 2022
@tamirkamara tamirkamara added this to the Release 0.5 milestone Aug 2, 2022
@LizaShak LizaShak mentioned this issue Aug 14, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LizaShak LizaShak

Labels
airlock api Composition Service API story Stories are the smallest unit of work to be done for a project.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use delegated key when generating SAS token in API microsoft/AzureTRE
2 participants
@tamirkamara @LizaShak