Add ability to read SAS tokens from a .netrc-like file

[marc-hb]

Azure supports "Shared Access Signature" (SAS) authentication to grant "limited access to containers and blobs". This is a "least privilege" feature meant to improve security. Quoting
https://learn.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who shouldn't be trusted with your storage account key but who need access to certain storage account resources. By distributing an SAS URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.

More from https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

With a SAS, you have granular control over how a client can access your data.

A security best practice is to provide a user with the minimum required privileges. If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.

Unfortunately, it seems the only way to use SAS authentication with azcopy is by passing it on the command line (?sig= parameter in the URL). This causes at least two serious issues listed below, the first one being... security.

In similar tools, these issues has been solved a long time ago by simply storing the token (or password) in a file. Examples:
https://everything.curl.dev/usingcurl/netrc
https://github.com/mirror/wget/blob/master/src/netrc.c
https://linux.die.net/man/5/netrc
https://www.ibm.com/docs/en/aix/7.1?topic=formats-netrc-file-format-tcpip

Feature request:

azcopy should simply be able to do the same and read SAS tokens from either .netrc or from some other, new .azcopyAuth file. Maybe such a new file could be managed by a new, interactive azcopy login feature that prompts the user for the token.

cc:

• Make use of Azure CLI environment variables #1833
• azcopy thinks file is directory when sas token has slashes #873

Which version of the AzCopy was used?

10.16.2

Which platform are you using? (ex: Windows, Mac, Linux)

Irrelevant, this is a feature request.

[marc-hb]

The first problem is obviously security. Authentication secrets should never, ever be used on the command line. Quoting https://learn.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-login

Important

If you set an environment variable by using the command line, that variable will be readable in your command line history. Consider clearing variables that contain credentials from your command line history. To keep variables from appearing in your history...

Also from https://github.com/Azure/azure-storage-azcopy/issues/new

Please remove the SAS to avoid exposing your credentials.

[marc-hb]

A second problem is usability. Here's a typical filesystem browsing session in a typical command line:

dir
cd some_dir
dir some_sub_dir
copy foo bar
del foo

etc.

Here's what it becomes with azcopy

azcopy list   http://remote/?sig=VERY_LONG_SAS_TOKEN
azcopy list   http://remote/some_dir/some_subdir?sig=VERY_LONG_SAS_TOKEN
azcopy copy   http://remote/some_dir/some_subdir/foo?sig=VERY_LONG_SAS_TOKEN bar
azcopy remove http://remote/some_dir/some_subdir/foo?sig=VERY_LONG_SAS_TOKEN

To save a lot of typing, users will naturally not type everything from scratch but edit the previous command. However this is still extremely cumbersome because it typically requires editing the file location located in the middle of the long URL. Removing ?sig=VERY_LONG_SAS_TOKEN would make it possible to edit the end of the command line instead.

[nakulkar-msft]

Hi @marc-hb, we reviewed the issue and we've logged in our backlog. However, we would be prioritizing this low. Please use alternate methods of login for now.
https://github.com/Azure/azure-storage-azcopy/wiki/Improved-login-support-for-AzCopy-commands-(with-in-memory-secret-store)

[marc-hb]

Please use alternate methods of login for now.
https://github.com/Azure/azure-storage-azcopy/wiki/Improved-login-support-for-AzCopy-commands-(with-in-me

This page looks irrelevant for SAS tokens, can you confirm?

[nakulkar-msft]

Yes, if you've to perform repeated commands as you've shown above, SAS is rather not suited.