I have a huge set of PDFs that are stored on a blob container (let's call it demo_container) , within each pdf file there are links to other pdfs (links are redirecting to the blob also).
i'm looking for a way to make sure that links will work only if the user have the rights (configured through IAM) to access that blob ; the idea behind this is that even if somebody steal one pdf , he won't be able to open other ones.
this needs using OAuth in order to gets the token etc.. , ended up thinking that i need to create a function that would act as a redirector (typically , links in PDFs would call my API with the name of the desired file in the query) . First of all am i right so far ? or is there a way to do this in an easier way ?
In order to go as fast as possible (and since it shouldn't be something requiring too much programming) , i went with a powershell code , did the app registration of my app and gave it the access to the Storage_API (with user impersonation) and Graph_API just as stated in the MS docs.
when i call my API on my browser i get the MS authentication page and everything works fine , in my code i try to make sur that the token was passed correctly so i download a blob within the context of the function and check it size. Thing is , it should work only if i log with an account that have the right to connect to this blob (IAM is configured on the Sto account and the container) , but i don't know why the script works the same no matter who is authenticated.
My code to test :
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."
# Interact with query parameters or the body of the request.
$name = $Request.Query.Name
$context = (Get-AzStorageAccount -name "xxxx" -ResourceGroupName "yyyy").context
$temp=Get-AzStorageBlobContent -Container "blob1" -Blob "sample.pdf" -Destination ".\" -context $context -force
$body="Size of the file is "+($temp.length)
# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
ContentType = 'text/html'
Body = $body
})
i'm very confused since this is quite weird that the function can access the blob (no SAS used anywhere in the function) with tokens from users that shouldn't be able to . all the help is welcome
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 94%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 68%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)