DEV Community

Cover image for Guidelines on Providing Storage for a New Company App Part 1.
Emmanuel A. Anene
Emmanuel A. Anene

Posted on

Guidelines on Providing Storage for a New Company App Part 1.

#webdev #beginners #productivity #cloud

What Is Azure Storage Account: An Azure Storage Account is a core service in Microsoft Azure that offers secure, cloud-based storage for different types of data.

A company building a new application needs its developers to guarantee that storage access is restricted to using access keys and managed identities. They also plan to enforce role-based access control (RBAC) for better security management. Additionally, to support testing requirements, the developers need protected, immutable storage.

Architecture diagram

First Thing: You have to login your active Azure Microsoft Account on portal.azure.com

In this article, I’ll cover the essential tasks for providing storage for a new company app.

Key tasks include:

  • Creating a storage account and setting up a manage identity
  • Securing access to the storage account using an Azure Key Vault and encryption keys
  • Configuring the storage account to use a customer-managed key stored in the Key Vault
  • Setting a time-based retention policy and defining an encryption scope

CREATE A STORAGE ACCOUNT AND SETTING UP A MANAGE IDENTITY.

Step 1. Provision of a storage account for the web application:

A. In the Azure portal, search for Storage accounts and click on the Enter key Button on your keyboard to select the Storage accounts option.

B. Click on +Create

C. Set up the Basics

  1. For Resource group select Create new. And give your resource group a name and select OK to save the changes

  2. Provide a unique Storage account name. Ensure it meets the naming requirements.

  3. Region: Chose the Region you will operating on

  4. Primary service: Chose Primary service as Azure Blob Storage or Azure Data Lake Storage Gen 2

  5. Redundancy: Select Geo-Redundant Storage

D. Encryption:

  1. Click on Encryption tab
  2. Check the box for Enable Infrastructure Encryption.

E. Review + Create

  1. Click on Review + Create
  2. Click on Create (Wait for your deployment to be completed)

DEPLOYMENT COMPLETED

Step 2: Set up a managed identity for the web app:

A. In the Azure portal, search for Managed Identities and select it from the results.

B. Click on +Create

C. Set up the Basics

  1. Select your Resource Group.
  2. Select the Region you working on.
  3. Give your Managed Identity name.

D. Click on Review + Create tab, and then click on Create
(Wait for your deployment to be completed)

DEPLOYMENT COMPLETED

Step 3. Assign the appropriate permissions to the managed identity. The identity should only have permission to read and list containers and blobs.

A. Search for Storage Accounts navigate to the Storage Account you created earlier(storageacct1demo1)

B. Select Access Control (IAM) blade

C. Click on + Add and select Add Role Assignment

D. On the Role Tab:

  1. Click On Role
  2. Select Job Function Roles.
  3. Search for Storage Blob Data Reader.
  4. And select the Storage Blob Data Reader.
  5. Click Next

E. On the Members tab:

  1. Select Manage Identity
  2. Click on + Select Members
  3. In the drop-down Select User-assigned managed identity
  4. Select the Managed Identity you created earlier
  5. And then click on Select

F. Click on the Review + assign tab and then select Review + assign

SECURING ACCESS TO THE STORAGE ACCOUNT USING AN AZURE KEY VAULT AND ENCRYPTION KEYS.

  1. To create the Key Vault and the encryption key required for this part of the lab, make sure your user account has Key Vault Administrator permissions:

A. In the Azure portal, search for Resource groups and select it from the results(Hit the ENTER button on the keyboard to get the right one).

B. Select The Resource Group you have your Storage Account and Manage Identity in it (RG1).

C. Access Control (IAM)

  1. Click on the Access Control (IAM) blade.
  2. Click on + Add
  3. On the drop down select Add Role Assignment.

D. On the Role tab:

  1. On the Job Function Roles page,
  2. Search for "Key Vault Administrator role"
  3. Select it from the search result.
  4. And then click on Next

E.Click on the Members tab

  1. Select User, group, or service principal.
  2. Click on + Select Members
  3. On the drop-down on the right side of the portal, search and select your account
  4. And then click on Select

F. Click on the Review + assign tab and select Review + assign on left downside.

  1. Create a Key Vault to store the access keys:

A. In the Azure portal, search for Key vaults and select it from the results.

B. Click on + Create

C. On the Basics.

  1. Select the Resource you have use been this project.
  2. Give this Key Vault a unique name (keyvault1demo1)
  3. Select the Region you have been working in on the project.
  4. Pricing Tier: Select Standard (Because this is a DEMO),
  5. Then click on Next

D. On the Access Configuration page check click on Azure role-based access control (recommended)

E. Click on the Review + Create tab and the click on Create

F. Click on Go to Resource after your deployment is complete.

G. Ensure that both the Soft-delete and Purge protection are enabled.

  1. Create a customer-managed key in the Key Vault:

A. In your Key Vault:

  1. Go to the Objects section
  2. Select the Keys blade.
  3. Click on Generate/Import

B. Give the Key a name(New-App-Key-Demo) and click on Create

Key have been created:

Note:
This wraps up Part 1 of our guide on how to set up secure, scalable storage for your new company app. In the next part, we’ll dive deeper into configuring access controls, setting up encryption scopes, and testing the storage setup end-to-end.

Stay tuned for Part 2 coming next!

Top comments (0)