egress icon indicating copy to clipboard operation
egress copied to clipboard
verified publisher icon livekit

[FEATURE] AzureUploader: Support SAS urls

Open coonmoo opened this issue 1 year ago • 1 comments

Problem

Egress AzureUploader only supports accountname / shared key authentication. Shared keys grant the Livekit Azure uploader excessive permissions like listing/reading all files in the account.

If the shared key would be compromised all recordings in the blob storage account would be exposed. We are concerned with having the shared key being passed to Livekit Cloud's egress environment where we don't have any control.

Solution

Support Azure Blob Storage container SAS urls in AzureUploader. This would allow us to use authentication with write only permissions for the storage container.

coonmoo avatar Nov 02 '24 14:11 coonmoo

I would encourage you to submit a PR for the feature if you are interested.

davidzhao avatar Nov 03 '24 05:11 davidzhao

I do think this is a valuable feature. Write only permissions, and not having to expose the storage account key, would be a prudent. The only other thought would be to have a storage account specifically for uploading Livekit videos. Once complete, the file could be copied to a storage account with more comprehensive security.

jpflick-stx avatar Jul 01 '25 20:07 jpflick-stx