I have a resource group in Azure which contains cloud service and a storage account. I want to give access to the resource group to my developers so that they can access the resources and make changes. However, there is one particular table in the storage account which contains sensitive user details. The table is being updated through our client app using SAS tokens.
I want only few selected people from my team to be able to see the complete contents of the table. Is there any way in azure to do this?
Azure Storage access is gated by its account name+key. Anyone with access to that key has access to any object(s) within a storage account, whether, blob, queue, or (in your case) table.
If developers have access to the resource group, and the resource group contains the storage account, then those developers have full access to the storage account contents.
If you wanted to prevent your developers from accessing storage, this storage account would need to reside within another resource group (which the developer does not have access to). And then you would have the choice to provide the developer(s) with the storage account+key, or with a SAS to a particular table.
However: If a developer has been granted co-admin permissions to the Azure subscription itself, then they have access to 100% of resources within the subscription, regardless of resource group or SAS.
来源:https://stackoverflow.com/questions/37025776/hide-data-in-an-azure-table-from-a-specific-audience