DEV Community

Emmanuel Cobham
Emmanuel Cobham

Posted on • Edited on

Provide storage for a new company app

Provide Private Storage account

Create the storage account and managed identity

1. Provide a storage account for the web app

  • In the portal, search for and select Storage accounts

Search

  • Select + Create

Create

  • For Resource group select Create new. Give your resource group a name and select OK to save your changes

Name

  • Provide a Storage account name. Ensure the name is unique and meets the naming requirements

SA

  • Move to the Encryption tab

Encryption

  • Check the box for Enable infrastructure encryption

  • Notice the warning, This option cannot be changed after this storage account is created.

Enable infrastructure encryption

  • Select Review + Create

Review + Create

  • Wait for the resource to deploy

deploy

2. Provide a managed identity for the web app to use

  • Search for and select Managed identities

Managed identities

  • Select Create

Create

  • Select your resource group

resource group

  • Give your managed identity a name

managed identity

  • Select Review and create, and then Create

Review and create

Create

3. Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs

  • Search for and select your storage account

select your storage account

  • Select the Access Control (IAM) blade

Access Control (IAM) blade

  • Select Add role assignment (center of the page)

Select Add role assignment

  • On the Job functions roles page, search for and select the Storage Blob Data Reader role

Storage Blob Data Reader role

  • On the Members page, select Managed identity

Members

  • Select Select members, in the Managed identity drop-down select User-assigned managed identity

Select members

  • Select the managed identity you created in the previous step

  • Click Select and then Review + assign the role

assign

Select

  • Select Review + assign a second time to add the role assignment

  • Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions

Secure access to the storage account with a key vault and key

1. To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions

  • In the portal, search for and select Resource groups

Resource Groups

  • Select your resource group, and then the Access Control (IAM) blade

Access Control (IAM) blade

  • Select Add role assignment (center of the page)

Add role assignment

  • On the Job functions roles page, search for and select the Key Vault Administrator role

Key Vault Administrator role

  • On the Members page, select User, group, or service principal

User, group, or service principal

  • Select Select members

members

  • Search for and select your user account. Your user account is shown in the top right of the portal

user account

  • Click Select and then Review + assign

Image description

Image description

  • Select Review + assign a second time to add the role assignment

  • You are now ready to continue with the lab

2. Create a key vault to store the access keys

In the portal, search for and select Key vaults

Key vaults

  • Select Create

Create

  • Select your resource group

Select your resource group

  • Provide the name for the key vault. The name must be unique

key vault

  • Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected

Azure role-based access control

  • Select Review + create

Review + create

  • Wait for the validation checks to complete and then select Create

Create

  • After the deployment, select Go to resource

Go to resource

  • On the Overview blade ensure both Soft-delete and Purge protection are enabled

Soft-delete and Purge protection are enabled

2. Create a customer-managed key in the key vault

  • In your key vault, in the Objects section, select the Keys blade

  • Select Generate/Import and Name the key

  • Take the defaults for the rest of the parameters, and Create the key

Top comments (0)