When building cloud-native applications, securing your storage resources is a top priority. Azure provides powerful tools like Managed Identities, Key Vault, Customer-Managed Keys (CMKs), and Immutable Storage to help you do just that.
In this guide, we’ll walk through how to:
- Create a storage account with infrastructure encryption
- Set up a managed identity and assign access
- Create a Key Vault with customer-managed keys
- Configure your storage account to use those keys
- Set up immutable blob storage and encryption scopes
✅ Step 1: Create the Storage Account
- In the Azure Portal, search for Storage accounts and click + Create.
- Create a new Resource Group, name it accordingly.
- Provide a unique name for your storage account.
- Navigate to the Encryption tab.
- Enable the checkbox for Infrastructure encryption.
⚠️ This cannot be changed after creation.
- Click Review + Create, then Create the storage account.
✅ Step 2: Create a User-Assigned Managed Identity
- In the Azure Portal, search for Managed identities and click + Create.
- Choose the same Resource Group.
- Name your managed identity (e.g.,
ezekielmanagedidentity). - Click Review + create, then Create.
✅ Step 3: Assign Storage Permissions to the Managed Identity
- Go to your Storage Account > Access Control (IAM).
- Click + Add role assignment.
- Select Storage Blob Data Reader.
- On the Members tab:
- Choose Managed identity
- Select User-assigned managed identity
- Pick the identity you created earlier
- Click Review + assign (twice to confirm).
✅ Step 4: Give Yourself Key Vault Administrator Access
- Go to Resource Group > Access Control (IAM).
- Click + Add role assignment.
- Choose the Key Vault Administrator role.
- Select User, group, or service principal.
- Pick your user account from the list.
- Click Review + assign (twice).
✅ Step 5: Create a Key Vault and a Key
- In the Azure Portal, search for Key vaults and click + Create.
- Use your existing Resource Group and give the vault a unique name.
- On the Access Configuration tab, ensure Azure role-based access control (recommended) is selected.
- Click Review + create, then Create.
- After deployment, click Go to resource.
- Confirm that Soft-delete and Purge protection are enabled.
- Under Keys, click + Generate/Import.
- Provide a name, leave other settings as default, and click Create.
✅ Step 6: Grant Encryption Role to the Managed Identity
- Go to your Resource Group > Access Control (IAM).
- Click + Add role assignment.
- Select Key Vault Crypto Service Encryption User.
- Choose Managed identity, then select your user-assigned identity.
- Click Review + assign (twice).
✅ Step 7: Configure Customer-Managed Key on the Storage Account
- Go back to your Storage Account > Encryption.
- Switch to Customer-managed keys.
- Select your Key Vault and the key you created earlier.
- Set Identity type to User-assigned.
- Select your managed identity and click Add.
- Click Save.
🔁 If you get an error, wait a few minutes to let permissions propagate, then retry.
✅ Step 8: Configure Immutable Blob Storage
- Navigate to your Storage Account > Containers.
- Click + Container, name it
hold, and create it with default settings. - Upload a test file to the container.
- Go to Settings > Access policy.
- Under Immutable blob storage, click + Add policy.
- Policy type: Time-based retention
-
Retention period: 5 days
- Save the changes.
🧪 Try deleting the file. You should get a deletion failed error due to the policy.
✅ Step 9: Create an Encryption Scope with Infrastructure Encryption
- Go back to your Storage Account > Encryption > Encryption scopes tab.
- Click + Add.
- Name your scope (e.g.,
myezekielwncryptionscope). - Set:
- Encryption type: Microsoft-managed keys
-
Infrastructure encryption: Enabled
- Click Create.
✅ Step 10: Use the Encryption Scope in a New Container
- Return to your Storage Account > Containers.
- Click + Container.
- Provide a Name and set Public access level.
- Under Advanced, choose the Encryption scope you created.
- Create the container.
Top comments (0)