DEV Community

Cover image for File accessed using keys and managed identities - Azure Files and Azure Blobs
Ola
Ola

Posted on

File accessed using keys and managed identities - Azure Files and Azure Blobs

Create the storage account and managed identity

Provide a storage account for the web app.
In the portal, search for and select Storage accounts.
Select + Create.
For Resource group select Create new. Give your resource group a name and select OK to save your changes.
Provide a Storage account name. Ensure the name is unique and meets the naming requirements.

Follow our previous tutorial for the above
Select Review + Create.
Encryption

Wait for the resource to deploy.

Provide a managed identity for the web app to use.

Search for and select Managed identities.
Select Create.
Select your resource group.

Create ManagedID

Give your managed identity a name.
Select Review and create, and then Create.

Review and Create

Create

Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs.

ManagedID

ManagedID Overview

Search for and select your storage account.
Select the Access Control (IAM) blade.
Select Add role assignment (center of the page).

Storage Account
On the Job functions roles page, search for and select the Storage Blob Data Reader role.

Storage Blob

Storage Blod Selected

On the Job functions roles page, search for and select the Storage Blob Data Reader role.
On the Members page, select Managed identity.
Select Select members, in the Managed identity drop-down select User-assigned managed identity.
Select the managed identity you created in the previous step.

Create Link

Click Select and then Review + assign the role.
Select Review + assign a second time to add the role assignment.

Review + assign
Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions.

Secure access to the storage account with a key vault and key

To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions.
In the portal, search for and select Resource groups.
Select your resource group, and then the Access Control (IAM) blade.
Select Add role assignment (center of the page).

Add role assignment

On the Job functions roles page, search for and select the Key Vault Administrator role.

Search and select

On the Job functions roles page, search for and select the Key Vault Administrator role.
On the Members page, select User, group, or service principal.
Select Select members.
Search for and select your user account. Your user account is shown in the top right of the portal.
Click Select and then Review + assign.

Select

Review

Select Review + assign a second time to add the role assignment.
You are now ready to continue with the lab.

Create a key vault to store the access keys.

In the portal, search for and select Key vaults.

search for and select Key vaults

Select Create.

Select Create.

Select your resource group.

Provide the name for the key vault. The name must be unique.

key vault

Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
Access configuration tab
Select Review + create.

Review + Create

Wait for the validation checks to complete and then select Create.

Create

After the deployment, select Go to resource.

On the Overview blade ensure both Soft-delete and Purge protection are enabled.

Soft-delete and Purge protection

Create a customer-managed key in the key vault.

In your key vault, in the Objects section, select the Keys blade.
Keys blade

Select Generate/Import and Name the key.
Take the defaults for the rest of the parameters, and Create the key

Generate/Import

Configure the storage account to use the customer managed key in the key vault

Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity.

In the portal, search for and select Resource groups.
Select your resource group, and then the Access Control (IAM) blade.
Select Add role assignment (center of the page).

role assignment
On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.

Key Vault Crypto Service Encryption User

On the Members page, select Managed identity.

Select Select members, in the Managed identity drop-down select User-assigned managed identity.
Select your managed identity.

Managed identity
Click Select and then Review + assign.
Select Review + assign a second time to add the role assignment.

Review + assign

*Configure the storage account to use the customer managed key in your key vault. *

In the Security + networking section, select the Encryption blade.

Select Customer-managed keys.
Select a key vault and key. Select your key vault and key.

key vault and key

Select to confirm your choices.
Ensure the Identity type is User-assigned.
Select an identity.

identity

Select your managed identity then select Add.
Save your changes.

managed identity
If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Configure an time-based retention policy and an encryption scope.

The developers require a storage container where files can’t be modified, even by the administrator

Navigate to your storage account.
In the Data storage section, select the Containers blade.

Containers
Create a container called hold. Take the defaults. Be sure to Create the container.
hold

Upload a file to the container.
Image description

In the Settings section, select the Access policy blade.
In the Immutable blob storage section, select + Add policy.
For the Policy type, select time-based retention.
Set the Retention period to 5 days.
Be sure to Save your changes.

Retention period

Try to delete the file in the container.
Verify you are notified failed to delete blobs due to policy.
The developers require an encryption scope that enables infrastructure encryption.

delete blobs

Navigate back to your storage account.
In the Security + networking blade, select Encryption.
In the Encryption scopes tab, select Add.
Give your encryption scope a name.
The Encryption type is Microsoft-managed key.
Set Infrastructure encryption to Enable.
Create the encryption scope.

encryption scope

Top comments (0)