Create the storage account and managed identity
1. Provide a storage account for the web app
- In the portal, search for and select Storage accounts
- Select + Create
- For Resource group select Create new. Give your resource group a name and select OK to save your changes
- Provide a Storage account name. Ensure the name is unique and meets the naming requirements
- Move to the Encryption tab
Check the box for Enable infrastructure encryption
Notice the warning, This option cannot be changed after this storage account is created.
- Select Review + Create
- Wait for the resource to deploy
2. Provide a managed identity for the web app to use
- Search for and select Managed identities
- Select Create
- Select your resource group
- Give your managed identity a name
- Select Review and create, and then Create
3. Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs
- Search for and select your storage account
- Select the Access Control (IAM) blade
- Select Add role assignment (center of the page)
- On the Job functions roles page, search for and select the Storage Blob Data Reader role
- On the Members page, select Managed identity
- Select Select members, in the Managed identity drop-down select User-assigned managed identity
Select the managed identity you created in the previous step
Click Select and then Review + assign the role
Select Review + assign a second time to add the role assignment
Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions
Secure access to the storage account with a key vault and key
1. To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions
- In the portal, search for and select Resource groups
- Select your resource group, and then the Access Control (IAM) blade
- Select Add role assignment (center of the page)
- On the Job functions roles page, search for and select the Key Vault Administrator role
- On the Members page, select User, group, or service principal
- Select Select members
- Search for and select your user account. Your user account is shown in the top right of the portal
- Click Select and then Review + assign
Select Review + assign a second time to add the role assignment
You are now ready to continue with the lab
2. Create a key vault to store the access keys
In the portal, search for and select Key vaults
- Select Create
- Select your resource group
- Provide the name for the key vault. The name must be unique
- Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected
- Select Review + create
- Wait for the validation checks to complete and then select Create
- After the deployment, select Go to resource
- On the Overview blade ensure both Soft-delete and Purge protection are enabled
2. Create a customer-managed key in the key vault
In your key vault, in the Objects section, select the Keys blade
Select Generate/Import and Name the key
Take the defaults for the rest of the parameters, and Create the key
Top comments (0)