[Enhancement request] Azure blob storage access via Role attached to container

[duttonw]

Hi

I work for the Queensland Government and deal with the 'Whole of Government Form.IO solution platform' and I've got a problem that should be easily solved with a software update:

With CIS compliance requiring api keys to be rotated every 90 days. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.4

On on-premise solution: It would be great to be able to have the ability to just supply only the azure blob storage and prefix path to the formio form/stage and it was able to place into it by pulling the credentials from the attached container metadata. (i.e azure blob storage is setup to accept from assigned container roll etc)

Similar for doing it on aws container role attached.

This could be extended to allow sts role assignment with ExternalId so that confused deputy problem does not get triggered when multiple account holders are running on the same server.

On cloud: This could also be used in the cloud instance (depending on your hosting provider aws/azure). For AWS, this would be providing the role arn to the client and them adding that to the IAM policy attached to the s3 bucket. (or via sts assume role, where cross role configuration has been configured per what was talked about in on-premise solution)

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

Environment

• Hosting type
  • [x] Form.io (API Servers and PDF Servers - private container's)
  • [x] Form.io (cloud)
  • [ ] Local deployment