DEV Community

Dumka Esaenwi
Dumka Esaenwi

Posted on

Implementing Secure Access and Immutable Storage in App Development Using Role-Based Access Control and Managed Identities"

Establish the managed identity and storage account.

1. Give the web app a storage account.

  • Look for and choose Storage accounts on the portal.**
  • Click + Create. Image description
  • Choose Create new under Resource group. To save your changes,
  • choose OK after giving your resource group a name.
  • Give the name of your Storage account. Make that the name satisfies the naming standards and is unique. Image description
  • Go to the tab for encryption.
  • Enable infrastructure encryption by checking the box.
  • Take note of the notice that once this storage account is created, it cannot be modified.
  • Click on Review + Create.
  • Await the resource's deployment. Image description 2. Give the web application a controlled identity to utilize.
  • Look for Managed identities and click on it.
  • Choose "Create." Image description
  • Decide which resource group to use.
  • Give a name to your managed identity.
  • Choose Review and then click on Create.

Image description

3. Assign the managed identity the appropriate permissions. All the identity has to do is read and list blobs and containers.

  • Find and choose your storage account.
  • Choose the blade for access control (IAM).
  • On the page, select Add role assignment in the center. Image description
  • Look for and choose the Storage Blob Data Reader role from the list of job duties roles on the page. Image description
  • Click Managed identity under Members.
  • Choose Select members, then choose User-assigned managed identity from the Managed identity drop-down menu.
  • Choose the managed identity that you established in the preceding stage.
  • Click Select and then Review + assign the position. To add the role assignment, select Review + assign again. Image description

Secure access to the storage account with a key vault and key

1. To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions.

  • Look for and select Resource groups in the portal.
  • Then, select the Access Control (IAM) blade after selecting your resource group.
  • On the page, select Add role assignment in the center. Image description
  • Locate and pick the Key Vault Administrator role from the list of job functions roles. Image description
  • Choose User, group, or service principal from the Members page.
  • Choose a member from the list.
  • Locate and choose your user account. In the upper right corner of the site, you can see your user account. Image description
  • After selecting, click Review + assign.
  • To add the role assignment, select Review + assign again.
  • You can now carry out the remaining tasks in the lab.

Learn more about how to provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.


2. To keep the access keys safe, construct a key vault.

  • Look for and choose Key vaults in the portal.
  • Choose "Create." Image description
  • Decide which resource group to use.
  • Tell us the name of the key vault. The name needs to be distinct. Image description
  • Ensure Azure role-based access control (recommended) is chosen on the Access configuration tab.
  • Click Review + Create.
  • After the validation checks are finished, choose Create. Image description
  • Choose Go to resource once the deployment is complete.
  • Make sure that Purge and Soft-delete protection are turned on for the Overview blade. Image description
  1. Create a customer-managed key in the key vault. In your key vault, in the Objects section, select the Keys blade. Select Generate/Import and Name the key.

Image description

Take the defaults for the rest of the parameters, and Create the key.
Image description

Configure the storage account to use the customer managed key in the key vault

Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity. Learn more about how to use a system-assigned managed identity to authorize access

  • In the portal, search for and select Resource groups.
  • Select your resource group, and then the Access Control (IAM) blade.
  • Select Add role assignment (center of the page). Image description On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role. Image description
  • On the Members page, select Managed identity.
  • Select Select members, in the Managed identity drop-down select User-assigned managed identity.
  • Select your managed identity.
  • Click Select and then Review + assign.
  • Select Review + assign a second time to add the role assignment. Image description
  1. Configure the storage account to use the customer managed key in your key vault. Learn more about customer managed keys on an existing storage account.
  • Return to your the storage account.
  • In the Security + networking section, select the Encryption blade.
  • Select Customer-managed keys. Image description
  • Select a key vault and key. Select your key vault and key.
  • Select to confirm your choices. Image description
  • Ensure the Identity type is User-assigned.
  • Select an identity.
  • Select your managed identity then select Add.
  • Save your changes. Image description If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Configure an time-based retention policy and an encryption scope.

  1. The developers require a storage container where files can’t be modified, even by the administrator. Learn more about blob immutable storage.
  • Navigate to your storage account.
  • In the Data storage section, select the Containers blade.
  • Create a container called hold. Take the defaults. Be sure to Create the container. Image description
  • Upload a file to the container. Image description
  • In the Settings section, select the Access policy blade.
  • In the Immutable blob storage section, select + Add policy.
  • For the Policy type, select time-based retention.
  • Set the Retention period to 5 days. Be sure to Save your changes. Image description Try to delete the file in the container. Verify you are notified failed to delete blobs due to policy.
  1. The developers require an encryption scope that enables infrastructure encryption. Learn more about infrastructure encryption.
  • Navigate back to your storage account.
  • In the Security + networking blade, select Encryption.
  • In the Encryption scopes tab, select Add.
  • Give your encryption scope a name.
  • The Encryption type is Microsoft-managed key.
  • Set Infrastructure encryption to Enable.
  • Create the encryption scope. Image description
  • Return to your storage account and create a new container.
  • Notice on the New container page, there is the Name and Public access level. Image description
  • Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.

By following these steps, you will have successfully created a secure storage account and managed identity in Azure, enhancing the overall security and compliance of your web applications.

Top comments (1)

Collapse
 
realcloudprojects profile image
Skill Schule

neat, welldone!

Read next

arindam_1729 profile image

9 Open Source Libraries to Supercharge Your Next Project 🔋⚡️

Arindam Majumder -

grahamthedev profile image

Alphanumeric / Natural sort in MySQL - 30 years and we still can't do this? 😤

GrahamTheDev -

codepo8 profile image

What’s your excuse for not using the web share API?

Christian Heilmann -

stevendev0822 profile image

How to integrate ERC20 token presale smart contract with Frontend

Steven -