DEV Community

Cover image for Providing Scalable and Secure Storage Solutions for a New Company Application
Busa Ayim-Odu
Busa Ayim-Odu

Posted on

Providing Scalable and Secure Storage Solutions for a New Company Application

Exercise instructions

Create the storage account and managed identity

Step 1: Provide a storage account for the web app.

  • In the portal, search for and select Storage accounts.
    Storage

  • Select + Create.
    Plus Create

  • For Resource group select Create new. Give your resource group a name and select OK to save your changes.

  • Provide a Storage account name. Ensure the name is unique and meets the naming requirements.
    RG

  • Move to the Encryption tab.

  • Check the box for Enable infrastructure encryption.

  • Notice the warning, This option cannot be changed after this storage account is created.
    Encryption

  • Select Review + Create.
    Review and Create

  • Wait for the resource to deploy.
    Deployed

Step 2: Provide a managed identity for the web app to use. Learn more about managed identities.

  • Search for and select Managed identities. Managed Identities
  • Select Create. Create
  • Select your resource group.
  • Give your managed identity a name. Names
  • Select Review and create, and then Create. Create

Step3: Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs. Learn more about how to assign Azure roles.

  • Search for and select your storage account. Storage
  • Select the Access Control (IAM) blade.
  • Select Add role assignment (center of the page). IAM
  • On the Job functions roles page, search for and select the Storage Blob Data Reader role. Blob
  • On the Members page, select Managed identity.
  • Select Select members, in the Managed identity drop-down select User-assigned managed identity.
  • Select the managed identity you created in the previous step. Member
  • Click Select and then Review + assign the role.
  • Select Review + assign a second time to add the role assignment. Role Create
  • Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions. Managed identity

Secure access to the storage account with a key vault and key

Step 1: To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions. Learn more about how to provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.

  • In the portal, search for and select Resource groups. RG
  • Select your resource group, and then the Access Control (IAM) blade.
  • Select Add role assignment (center of the page). Selection
  • On the Job functions roles page, search for and select the Key Vault Administrator role. Added Role
  • On the Members page, select User, group, or service principal. Select Select members.
  • Search for and select your user account. Your user account is shown in the top right of the portal.
  • Click Select and then Review + assign. Assign
  • Select Review + assign a second time to add the role assignment.
  • You are now ready to continue with the lab.

Step 2: Create a key vault to store the access keys.

  • In the portal, search for and select Key vaults. Key Vaults
  • Select Create. Create Key
  • Select your resource group.
  • Provide the name for the key vault. The name must be unique. Key Name
  • Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
  • Select Review + create. Access
  • Wait for the validation checks to complete and then select Create. SOft
  • After the deployment, select Go to resource.
  • On the Overview blade ensure both Soft-delete and Purge protection are enabled. Keys

Step 3: Create a customer-managed key in the key vault.

  • In your key vault, in the Objects section, select the Keys blade. New Key
  • Select Generate/Import and Name the key.
  • Take the defaults for the rest of the parameters, and Create the key. Created key

Configure the storage account to use the customer managed key in the key vault

Step 1: Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity. Learn more about how to use a system-assigned managed identity to authorize access

  • In the portal, search for and select Resource groups. RG
  • Select your resource group, and then the Access Control (IAM) blade.
  • Select Add role assignment (center of the page). New role
  • On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.

New role

  • On the Members page, select Managed identity.
  • Select Select members, in the Managed identity drop-down select User-assigned managed identity.
  • Select your managed identity. Managed ID
  • Click Select and then Review + assign.
  • Select Review + assign a second time to add the role assignment. Reviewed

Step 2: Configure the storage account to use the customer managed key in your key vault. Learn more about customer managed keys on an existing storage account.

  • Return to your the storage account.
  • In the Security + networking section, select the Encryption blade.
  • Select **Customer-managed **keys. Customer
  • Select a key vault and key. Select your key vault and key.
  • Select to confirm your choices. Many keys
  • Ensure the Identity type is User-assigned.
  • Select an identity.
  • Select your** managed identity** then select Add.
  • Save your changes. Options
  • If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Configure an time-based retention policy and an encryption scope.

Step 1: The developers require a storage container where files can’t be modified, even by the administrator. Learn more about blob immutable storage.

  • Navigate to your storage account.
  • In the Data storage section, select the Containers blade. Storage
  • Create a container called hold. Take the defaults. Be sure to - - Create the container.

Hold

  • Upload a file to the container. Uploaded
  • In the Settings section, select the Access policy blade.
  • In the Immutable blob storage section, select + Add policy.
  • For the Policy type, select time-based retention.
  • Set the Retention period to 5 days.
  • Be sure to Save your changes. Immutable policy
  • Try to delete the file in the container.
  • Verify you are notified failed to delete blobs due to policy. delete

Step 2: The developers require an encryption scope that enables infrastructure encryption. Learn more about infrastructure encryption.

  • Navigate back to your storage account.
  • In the Security + networking blade, select Encryption.
  • In the Encryption scopes tab, select Add.
  • Give your encryption scope a name.
  • The Encryption type is Microsoft-managed key.
  • Set Infrastructure encryption to Enable.
  • Create the encryption scope. Scope
  • Return to your storage account and create a new container.
  • Notice on the New container page, there is the Name and Public access level.
  • Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container. Notice

A vote of gratitude

I appreciate you reading this tutorial to help you choose and implement storage options for your new application. I hope it has given you insightful information to help you decide on options that are specific to the needs of your app. For long-term success, each stage in this process is essential, and your attention to detail makes all the difference.

I would love to hear from you if you need any clarification, have any concerns, or would like to talk about any of the processes in more detail! Please get in touch; together, we can discuss the finest storage practices and carry on the topic. Once again, thank you, and good luck developing a scalable and reliable app!

Top comments (0)