Latest Posts

Azure Blob for document download

Posted on by Rishan Solutions

Loading

amounts of unstructured data such as documents, images, audio, and video. One common use-case is enabling document download from a web app, mobile app, or intranet.

Section 1: Setting Up Azure Blob Storage

Step 1: Create a Storage Account

  1. Log into the Azure Portal.
  2. Search for “Storage accounts” in the top search bar.
  3. Click + Create.
  4. Fill in the required details:
    • Subscription
    • Resource Group
    • Storage Account Name (must be globally unique)
    • Region (choose your closest)
    • Performance: Standard
    • Redundancy: LRS (locally redundant) or as per need
  5. Click Review + Create and then Create.

Step 2: Access the Storage Account

  1. Once deployed, go to the Storage Account.
  2. On the left sidebar, under Data Storage, click Containers.

Step 3: Create a Container

  1. Click + Container.
  2. Name it (e.g., documents).
  3. Set Public Access Level depending on your use-case:
    • Private (no anonymous access) — Recommended for secure downloads
    • Blob (anonymous read access) — Use only for public files
  4. Click Create.

Section 2: Uploading Documents

  1. Open the container (e.g., documents).
  2. Click Upload.
  3. Choose files (e.g., PDF, DOCX).
  4. Click Upload.

Each document will now be listed in the container with its Blob Name, Type, and URL.

Section 3: Generate a Download Link

You can provide direct download access in multiple ways:

Option A: Anonymous Public Blob (for open downloads)

  • If the container access level is set to Blob, each file will have a URL that you can copy and share: https://<yourstorageaccount>.blob.core.windows.net/documents/filename.pdf

Option B: Using Shared Access Signature (SAS Token) for Secure Downloads

Step 1: Go to the Blob File

  • Open the blob (e.g., filename.pdf).
  • Click on Generate SAS.

Step 2: Configure SAS Token

  • Allowed Permissions: Read
  • Start and Expiry time: Set valid duration
  • Click Generate SAS token and URL
  • Copy the Blob SAS URL

This SAS URL allows downloading the file within the set time period, even from a private container.

Example SAS URL Format:

php-https://<storageaccount>.blob.core.windows.net/documents/file.pdf?<sastoken>

Section 4: Using the Download URL in HTML or App

A. HTML Link to Download File

<a href="https://mystorage.blob.core.windows.net/documents/file.pdf?sp=..." download>
  Download File
</a>

B. JavaScript Triggered Download Button

<button onclick="window.location.href='https://mystorage.blob.core.windows.net/documents/file.pdf?sp=...'">
  Download Document
</button>

C. React Example

<a href="https://mystorage.blob.core.windows.net/documents/file.pdf?sp=..." target="_blank" rel="noopener noreferrer">
  Download PDF
</a>

Section 5: Accessing Files Securely via Azure SDK (Advanced)

If you’re building a secure app, you may not want to expose direct links. Instead, fetch the blob securely using Azure SDKs (e.g., Node.js, Python, C#).

Node.js Sample (Using @azure/storage-blob):

const { BlobServiceClient } = require("@azure/storage-blob");
const AZURE_STORAGE_CONNECTION_STRING = "YourConnectionString";

async function downloadFile(containerName, blobName) {
  const blobServiceClient = BlobServiceClient.fromConnectionString(AZURE_STORAGE_CONNECTION_STRING);
  const containerClient = blobServiceClient.getContainerClient(containerName);
  const blobClient = containerClient.getBlobClient(blobName);
  const downloadBlockBlobResponse = await blobClient.download();
  console.log("Downloaded blob content:", await streamToBuffer(downloadBlockBlobResponse.readableStreamBody));
}

async function streamToBuffer(readableStream) {
  return new Promise((resolve, reject) => {
    const chunks = [];
    readableStream.on("data", (data) => chunks.push(data instanceof Buffer ? data : Buffer.from(data)));
    readableStream.on("end", () => resolve(Buffer.concat(chunks)));
    readableStream.on("error", reject);
  });
}

Section 6: Manage Permissions and Access

Using Role-Based Access Control (RBAC):

  1. Go to your storage account
  2. Select Access Control (IAM)
  3. Add a role assignment (e.g., Storage Blob Data Reader)
  4. Assign to specific users or managed identities

For Applications:

  • Use a Managed Identity in Azure Web App or Function
  • Grant appropriate permissions to access blobs

Section 7: Monitoring and Security Best Practices

  • Avoid anonymous access for sensitive documents
  • Use HTTPS only to avoid data sniffing
  • Rotate SAS tokens and limit lifetime (use short expiry)
  • Enable diagnostic logs in Azure Monitor for access tracking
  • Use Azure CDN for faster delivery if serving large files globally

Section 8: Enable Downloads via Azure Function (Optional Advanced)

If you want to dynamically generate download links or control access per user:

  1. Create an Azure Function (HTTP trigger)
  2. Use the Azure SDK to generate a SAS link at runtime
  3. Return the link as part of the HTTP response

Example Logic:

module.exports = async function (context, req) {
  const sasUrl = generateSasToken("documents", "file.pdf"); // write your logic here
  context.res = {
    status: 200,
    body: {
      downloadUrl: sasUrl
    }
  };
};

Leave a Reply

Your email address will not be published. Required fields are marked *