How to create a storage with access to only those with specific keys and identities

hello everyone! today we will be looking at How to create a storage with access to only those with specific keys and identities in a situation we're a company wants to build an app

first we create a storage account as always

• click encryption

• select enable encryption
  

• go to resource

• Search for and select Managed identities

• select your resource group, give your identy a name and then review and create.

• select access control, Add role assignment

• On the Job functions roles page, search for and select the Storage Blob Data Reader role
  

• On the Members page, select Managed identity.
  Select Select members, in the Managed identity drop-down select User-assigned managed identity.
  Select the managed identity you created in the previous step.
  Click Select

• final create

** now to restrict access to only those with vault keys**

• select your resource group

-select access control, Add role assignment

• On the Job functions roles page, search for and select the Key Vault Administrator role
  

• On the Members page, select User, group, or service principal.
  Select Select members.
  Search for and select your user account. Your user account is shown in the top right of the portal.
  Click Select

• create
  

• search key vault

• name your vault

• Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
  

• create

• enable both

• enable purge
  

• objects, keys

• create key in vault key

Configure the storage account to use the customer managed key in the key vault

• select resource

• access control
  

• On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role

• Select Select members, in the Managed identity drop-down select User-assigned managed identity

Configure the storage account to use the customer managed key in your key vault

• select your storage account

• selecting keys
  

• Select Customer-managed keys.
  Select a key vault and key. Select your key vault and key.
  Select to confirm your choices.

• identity type
  

• select your identity
  

Configure an time-based retention policy and an encryption scope
if The developers require a storage container where files can’t be modified, even by the administrator

• select your account

• select container

-give container name

• uplaod a file to container

• put retention time to 5days

• Try to delete the file in the container. Verify you are notified failed to delete blobs due to policy.

• confirm delete error message

if the developers require an encryption scope that enables infrastructure encryption

• your storage account

• select encryption in network

• create new conatainer and apply your encryption

Comments

[SKILL.SCH]

Welldone!