Provide storage for a new company app

Create the storage account and managed identity

1. Provide a storage account for the web app

• In the portal, search for and select Storage accounts

• Select + Create

• For Resource group select Create new. Give your resource group a name and select OK to save your changes

• Provide a Storage account name. Ensure the name is unique and meets the naming requirements

• Move to the Encryption tab

• Check the box for Enable infrastructure encryption

• Notice the warning, This option cannot be changed after this storage account is created.

• Select Review + Create

• Wait for the resource to deploy

2. Provide a managed identity for the web app to use

• Search for and select Managed identities

• Select Create

• Select your resource group

• Give your managed identity a name

• Select Review and create, and then Create

3. Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs

• Search for and select your storage account

• Select the Access Control (IAM) blade

• Select Add role assignment (center of the page)

• On the Job functions roles page, search for and select the Storage Blob Data Reader role

• On the Members page, select Managed identity

• Select Select members, in the Managed identity drop-down select User-assigned managed identity

• Select the managed identity you created in the previous step

• Click Select and then Review + assign the role

• Select Review + assign a second time to add the role assignment

• Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions

Secure access to the storage account with a key vault and key

1. To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions

• In the portal, search for and select Resource groups

• Select your resource group, and then the Access Control (IAM) blade

• Select Add role assignment (center of the page)

• On the Job functions roles page, search for and select the Key Vault Administrator role

• On the Members page, select User, group, or service principal

• Select Select members

• Search for and select your user account. Your user account is shown in the top right of the portal

• Click Select and then Review + assign

• Select Review + assign a second time to add the role assignment

• You are now ready to continue with the lab

2. Create a key vault to store the access keys

In the portal, search for and select Key vaults

• Select Create

• Select your resource group

• Provide the name for the key vault. The name must be unique

• Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected

• Select Review + create

• Wait for the validation checks to complete and then select Create

• After the deployment, select Go to resource

• On the Overview blade ensure both Soft-delete and Purge protection are enabled

2. Create a customer-managed key in the key vault

• In your key vault, in the Objects section, select the Keys blade

• Select Generate/Import and Name the key

• Take the defaults for the rest of the parameters, and Create the key