Hey everyone, I'm new to setting up Azure Storage Accounts and I'm hoping to find a way for any VM or VMSS in my tenant to download files without needing to deal with tokens, credentials, or SAS. In AWS, I could create an S3 bucket with a policy that lets any instance in the organization read from it easily. Is there a similar feature in Azure or a different service that can achieve this? I've been reading up and trying things for hours but I'm stuck. Any insights or guidance would be super helpful!
3 Answers
I really wouldn't recommend allowing anonymous access for storage. The best practice is to give your VMs either system managed or user managed identity credentials. Just assign them the 'storage blob contributor' role on your storage account and you'll be all set! This keeps things secure and manageable.
Exactly! Plus, if you're accessing only from a private network, make sure to enable a private endpoint and configure the private DNS zone.
You can technically use blob containers with anonymous access by generating direct URLs, but it’s risky. I use it for non-sensitive files like shared backgrounds occasionally, but you’ll get flagged by Microsoft’s security tools for that. If your VMs are in Azure, definitely consider identity-based access.
Yeah, just be careful if you go down that route! Setting up a private endpoint is a smart move if you're only using Azure VMs.
Good point! Keeping it secure with managed identities is the best way to avoid potential issues.
Yeah, definitely avoid anonymous access for storage accounts. It's really not secure. Going the user assigned identity route is much safer, and you'll find it easier to manage without extra overhead.
For sure! I’d avoid anonymous access completely, especially with Azure's security recommendations.
Totally agree! Going with an identity credential is definitely the way to go.