Skip to content

API should generate Airlock SAS with User Delegated Key #2390

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#2460
Closed
API should generate Airlock SAS with User Delegated Key#2390
#2460
Assignees
LizaShak
Labels
airlockapiComposition Service APIstoryStories are the smallest unit of work to be done for a project.
@tamirkamara

Description

@tamirkamara
tamirkamara
opened on Aug 2, 2022

Description

As a TRE Developer
I want to generate airlock sas tokens for users with User Delegated Key
So that I won't use account keys and operation will be more secure

** See how the Airlock processor does this
** This will require the API identity to have blob read and write permission on the relevant storage accounts since Auth is intersection of the sas embedded permission and those on the user delegated key that created it. On first glance it might not look as a security improvement but it is - not using the static account key is the improvement as having it gave the holder (api) full access to the entire storage account.

Acceptance criteria

  • API doesn't use account keys
  • API doesn't have Read Data Access permission on core or the workspace
  • SAS is generated and working

Metadata

Assignees

Labels

airlockapiComposition Service APIstoryStories are the smallest unit of work to be done for a project.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions