DEV Community

Cover image for How to Secure Azure Storage Using Managed Identities and RBAC
forsyth famous
forsyth famous

Posted on

How to Secure Azure Storage Using Managed Identities and RBAC

#azure #microsoft #cloud #security

Introduction

Modern cloud applications require secure ways to access storage resources without exposing sensitive credentials or access keys.

In Microsoft Azure, developers can secure storage accounts using Managed Identities, Role-Based Access Control (RBAC), and immutable storage policies.

In this guide, we’ll configure secure Azure Storage access while exploring identity-based authentication and protected immutable storage.

By the end of this tutorial, you’ll know how to:

  • Configure secure Azure Storage access
  • Use Managed Identities for authentication
  • Implement Azure RBAC
  • Configure immutable blob storage policies

Let’s build a more secure Azure storage environment.

What are Managed Identities and RBAC?

Managed Identities allow Azure resources to securely authenticate to other Azure services without storing credentials inside application code.

Azure Role-Based Access Control (RBAC) helps manage who or what can access Azure resources and what actions they can perform.

Together, these features help organizations:

  • Eliminate hardcoded credentials
  • Control access permissions centrally
  • Improve cloud security
  • Support least-privilege access principles

Immutable storage adds another layer of protection by preventing critical data from being modified or deleted during a retention period.

Prerequisites

Before we begin, ensure you have:

  • A Microsoft Azure account
  • An active Azure subscription
  • A stable internet connection
  • Access to the Azure Portal

Now come with me, let’s build a secure Azure storage environment.

Create the storage account and managed identity

  1. Provide a storage account for the web app.

    • In the portal, search for and select Storage accounts. storage
    • Select + Create. create
    • For Resource group select Create new. Give your resource group a name and select OK to save your changes. new rg
    • Provide a Storage account name. Ensure the name is unique and meets the naming requirements. unique
    • Move to the Encryption tab. encrypt
    • Check the box for Enable infrastructure encryption. check
    • Notice the warning, This option cannot be changed after this storage account is created. warning
    • Select Review + Create. Rev
    • Wait for the resource to deploy. wait

  2. Provide a managed identity for the web app to use. Learn more about managed identities.

    • Search for and select Managed identities. Man
    • Select Create. create
      • Select your resource group. RG
      • Give your managed identity a name. name
    • Select Review and create, and then Create. rve

  3. Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs.

    • Search for and select your storage account. storage
    • Select the Access Control (IAM) blade. IAM
    • Select Add role assignment (center of the page). role
    • On the Job functions roles page, search for and select the Storage Blob Data Reader role. JB
    • On the Members page, select Managed identity. MI
    • Select Select members, in the Managed identity drop-down select User-assigned managed identity. members UMI
    • Select the managed identity you created in the previous step. prevmi
    • Click Select and then Review + assign the role. select
    • Select Review + assign a second time to add the role assignment. create
    • Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions. now

Secure access to the storage account with a key vault and key

  1. To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions.

    • In the portal, search for and select Resource groups. RG
    • Select your resource group, and then the Access Control (IAM) blade. IAM
    • Select Add role assignment (center of the page). role
    • On the Job functions roles page, search for and select the Key Vault Administrator role. KVA
    • On the Members page, select User, group, or service principal. USER
    • Select Select members. mem
    • Search for and select your user account. Your user account is shown in the top right of the portal. search
    • Click Select and then Review + assign. revv
    • Select Review + assign a second time to add the role assignment. again
    • You are now ready to continue with the lab. A

  2. Create a key vault to store the access keys.

    • In the portal, search for and select Key vaults. b
    • Select Create. c
    • Select your resource group. d
    • Provide the name for the key vault. The name must be unique. d
    • Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected. R
    • Select Review + create. c
    • Wait for the validation checks to complete and then select Create. c
    • After the deployment, select Go to resource. g
    • On the Overview blade ensure both Soft-delete and Purge protection are enabled. P

  3. Create a customer-managed key in the key vault.

    • In your key vault, in the Objects section, select the Keys blade. K
    • Select Generate/Import and Name the key. G
    • Take the defaults for the rest of the parameters, and Create the key. ke

Configure the storage account to use the customer managed key in the key vault

  1. Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity.

    • In the portal, search for and select Resource groups. RG
    • Select your resource group, and then the Access Control (IAM) blade. IAM
    • Select Add role assignment (center of the page). role
    • On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role. k
    • On the Members page, select Managed identity. m
    • Select Select members, in the Managed identity drop-down select User-assigned managed identity. d
    • Select your managed identity. y
    • Click Select and then Review + assign. rr
    • Select Review + assign a second time to add the role assignment. rrr

  2. Configure the storage account to use the customer managed key in your key vault.

    • Return to your the storage account. r
    • In the Security + networking section, select the Encryption blade. en
    • Select Customer-managed keys. c
    • Select a key vault and key. Select your key vault and key. k
    • Select to confirm your choices. s
    • Ensure the Identity type is User-assigned. us
    • Select an identity. i
    • Select your managed identity then select Add. ss
    • Save your changes. s
    • If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Configure an time-based retention policy and an encryption scope.

  1. The developers require a storage container where files can’t be modified, even by the administrator.

    • Navigate to your storage account. r
    • In the Data storage section, select the Containers blade. cb
    • Create a container called hold. Take the defaults. Be sure to Create the container. n
    • Upload a file to the container. f s
    • In the Settings section, select the Access policy blade. a
    • In the Immutable blob storage section, select + Add policy. ad
    • For the Policy type, select time-based retention. tb
    • Set the Retention period to 5 days. 5
    • Be sure to Save your changes. s
    • Try to delete the file in the container. s d
    • Verify you are notified failed to delete blobs due to policy. e

  2. The developers require an encryption scope that enables infrastructure encryption.

    • Navigate back to your storage account. r
    • In the Security + networking blade, select Encryption. e
    • In the Encryption scopes tab, select Add. s
    • Give your encryption scope a name. n
    • The Encryption type is Microsoft-managed key. mm
    • Set Infrastructure encryption to Enable. e
    • Create the encryption scope. c
    • Return to your storage account and create a new container. cc
    • Give the New container, a Name. n
    • Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container. ad

Cleanup your resources

If you are working with your own subscription and have completed these labs, take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group.

  • In the Azure portal, select the resource group, select Delete the resource group, Enter resource group name, and then click Delete. rg nae delete
  • Using Azure PowerShell, Remove-AzResourceGroup -Name resourceGroupName.
  • Using the CLI, az group delete --name resourceGroupName.

Conclusion

Congratulations on successfully configuring secure Azure Storage access using Managed Identities, RBAC, and immutable storage policies.

In this lab, we explored how Azure security features can help organizations protect storage resources while simplifying authentication and access management.

Some key takeaways from this lab include:

  • Managed Identities eliminate the need for hardcoded credentials
  • Azure RBAC enables centralized access management
  • Immutable storage helps protect critical data from modification or deletion
  • Identity-based authentication improves cloud security posture

By completing this exercise, you have taken another important step in building practical Azure security and cloud administration skills.

See you in the next article.

Top comments (0)