DEV Community

Cover image for How to provide storage for a new company app in Azure
Baridiilo Poromon
Baridiilo Poromon

Posted on • Updated on

How to provide storage for a new company app in Azure

In the Azure portal, search for "Storage accounts" and select it.
Create a New Storage Account: Click on "+ Create." Select "Create new" for the Resource group, provide a name, and click "OK." Provide a unique storage account name.

storage account company app

Move to the "Encryption" tab and check "Enable infrastructure encryption." Review the warning that this option cannot be changed after creation.

encryption tab

Click "Review + Create" and wait for the deployment to complete.

Step 2: Provide a Managed Identity. Search for and select "Managed identities." Click "Create." Select your resource group and provide a name for the managed identity. Click "Review + create," then "Create."

managed identity

Assign Permissions to the Managed Identity: Search for and select your storage account. Go to the "Access Control (IAM)" blade and click "Add role assignment." Search for and select the "Storage Blob Data Reader" role.

permissions to managed identity

On the Members page, select "Managed identity," then "User-assigned managed identity." Select your managed identity and click "Select." Click "Review + assign" twice to confirm.

user assigned managed identity

Step 3: Secure Access with Key Vault and Key. Search for and select "Resource groups." Select your resource group and go to the "Access Control (IAM)" blade. Click "Add role assignment," search for and select the "Key Vault Administrator" role. Select "User, group, or service principal," then your user account. Click "Review + assign" twice to confirm.

key vault iam

Create a Key Vault: Search for and select "Key vaults," then click "Create". Select your resource group and provide a unique name for the key vault. Ensure "Azure role-based access control (recommended)" is selected on the Access configuration tab. Click "Review + create," wait for validation, then click "Create."

create key vault

Ensure both Soft-delete and Purge protection are enabled.

soft delete and purge

Create a Customer-Managed Key: In the key vault, go to the "Keys" blade and select "Generate/Import." Name the key and take the defaults for the rest of the parameters. Click "Create."

customer managed key

Step 4: Configure Storage Account to Use Customer-Managed Key. Search for and select "Resource groups". Select your resource group and go to the "Access Control (IAM)" blade. Click "Add role assignment," search for and select the "Key Vault Crypto Service Encryption User" role. On the Members page, select "Managed identity," then "User-assigned managed identity." Select your managed identity and click "Select." Click "Review + assign" twice to confirm.

key vault encryption

Configure Storage Account Encryption: Return to your storage account and go to the "Encryption" blade under the Security + networking section. Select "Customer-managed keys," then select your key vault and key. Ensure the Identity type is "User-assigned" and select your managed identity. Click "Add" and save your changes.

storage account encryption

Step 5: Configure Time-Based Retention Policy and Encryption Scope. In your storage account, go to "Containers" and create a container called "hold".

time based retention

Upload a file to the container. In the "Settings" section, select the "Access policy" blade. Add a policy with the type "time-based retention" and set the retention period to 5 days. Save your changes and verify that deleting the file fails due to the policy.

access policy blade

Create Encryption Scope: Navigate back to your storage account and select "Encryption" under the Security + networking blade. In the "Encryption scopes" tab, click "Add." Provide a name for the encryption scope and set the Encryption type to "Microsoft-managed key." Enable Infrastructure encryption and create the encryption scope.

encryption scope microsoft managed key

Top comments (0)