DEV Community

Cover image for Securing App Development with Managed Identities and Role-Based Access Control
Raphael Olaniyi
Raphael Olaniyi

Posted on

Securing App Development with Managed Identities and Role-Based Access Control

The company is designing and developing a new app, requiring secure storage access using keys and managed identities. Developers aim to implement role-based access control and need protected immutable storage for testing.

Our goals are as follows:

  • Create the storage account and managed identity.
  • Secure access to the storage account using a key vault and key.
  • Configure the storage account to use the customer-managed key in the key vault.
  • Set up a time-based retention policy and an encryption scope.

Create the storage account and managed identity
Provide a storage account for the web app.
In the portal, search for and select Storage accounts.

select Storage accounts
Select + Create.
Select + Create.

For Resource group select Create new. Give your resource group a name and select OK to save your changes.
Resource group select Create new

Provide a Storage account name. Ensure the name is unique and meets the naming requirements.
Storage account name

Move to the Encryption tab.
Check the box for Enable infrastructure encryption.
Notice the warning, This option cannot be changed after this storage account is created.
Enable infrastructure encryption

Select Review + Create.
Select Review + Create
Create

Wait for the resource to deploy.
deploy

Provide a managed identity for the web app to use.
Search for and select Managed identities.
managed identity

Select Create.
Select Create

Select your resource group.
resource group

Give your managed identity a name.
managed identity a name

Select Review and create, and then Create.
Select Review and create
Create.

Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs.

Search for and select your storage account.
select your storage account
your storage account

Select the Access Control (IAM) blade.
Access Control (IAM) blade

Select Add role assignment (center of the page).
Add role assignment

On the Job functions roles page, search for and select the Storage Blob Data Reader role.
Job functions roles page
select the Storage Blob Data Reader role

On the Members page, select Managed identity.
select Managed identity

Select Select members, in the Managed identity drop-down select User-assigned managed identity.
User-assigned managed identity

Select the managed identity you created in the previous step.
managed identity

Click Select and then Review + assign the role.
Select Review + assign a second time to add the role assignment.
Select
Review + assign

Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions.
storage account

Secure access to the storage account with a key vault and key
To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions.

In the portal, search for and select Resource groups.
select Resource groups

Select your resource group, and then the Access Control (IAM) blade.
Access Control (IAM) blade

Select Add role assignment (center of the page).
Add role assignment

On the Job functions roles page, search for and select the Key Vault Administrator role.
Job functions roles page
Key Vault Administrator role

On the Members page, select User, group, or service principal.
User, group, or service principal

Select Select members.
Select members

Search for and select your user account. Your user account is shown in the top right of the portal.
user account

Click Select and then Review + assign.
Select
Review + assign

Select Review + assign a second time to add the role assignment.
Review + assign a second time

You are now ready to continue with the lab.
continue with the lab

Create a key vault to store the access keys.

In the portal, search for and select Key vaults.
Select Create.
select Key vaults
Select Create

Select your resource group.
Select your resource group

Provide the name for the key vault. The name must be unique.
name for the key vault

Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
Azure role-based access control

Select Review + create.
Review + create

Wait for the validation checks to complete and then select Create.
checks to complete and then select Create.

After the deployment, select Go to resource.
Go to resource

On the Overview blade ensure both Soft-delete and Purge protection are enabled.
Soft-delete and Purge protection are enabled.

Create a customer-managed key in the key vault.

In your key vault, in the Objects section, select the Keys blade.
Keys blade

Select Generate/Import and Name the key.
Generate/Import
Name the key

Take the defaults for the rest of the parameters, and Create the key.
Create the key.

Configure the storage account to use the customer managed key in the key vault
Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity.

In the portal, search for and select Resource groups.
Select your resource group, and then the Access Control (IAM) blade.
Access Control (IAM) blade.

Select Add role assignment (center of the page).
Add role assignment

On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.
select the Key Vault Crypto Service Encryption User role

On the Members page, select Managed identity.
Managed identity

Select Select members, in the Managed identity drop-down select User-assigned managed identity.
User-assigned managed identity

Select your managed identity.
managed identity

Click Select and then Review + assign.
Select
Review + assign

Select Review + assign a second time to add the role assignment.
Review + assign

Configure the storage account to use the customer managed key in your key vault. Learn more about customer managed keys on an existing storage account.

Return to your the storage account.
storage account

In the Security + networking section, select the Encryption blade.
Encryption blade

Select Customer-managed keys.
Customer-managed keys

Select a key vault and key. Select your key vault and key.
Select a key vault
key
your key vault and key

Select to confirm your choices.
Select

Ensure the Identity type is User-assigned.
User-assigned

Select an identity.
Select an identity

Select your managed identity then select Add.
managed identity

Save your changes.
Save your changes

If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Configure an time-based retention policy and an encryption scope.
The developers require a storage container where files can’t be modified, even by the administrator.

Navigate to your storage account.
In the Data storage section, select the Containers blade.
Navigate to your storage account

Create a container called hold. Take the defaults. Be sure to Create the container.
Create a container called hold

Upload a file to the container.
Upload a file

In the Settings section, select the Access policy blade.
Access policy blade

In the Immutable blob storage section, select + Add policy.
select + Add policy

For the Policy type, select time-based retention.
select time-based retention

Set the Retention period to 5 days.
Be sure to Save your changes.
Retention period

Try to delete the file in the container.
Verify you are notified failed to delete blobs due to policy.
The developers require an encryption scope that enables infrastructure encryption.
infrastructure encryption.

Navigate back to your storage account.
In the Security + networking blade, select Encryption.
your storage account

In the Encryption scopes tab, select Add.
select Add

Give your encryption scope a name.
scope a name

The Encryption type is Microsoft-managed key.
Microsoft-managed key

Set Infrastructure encryption to Enable.
Create the encryption scope.
encryption scope

Return to your storage account and create a new container.
Notice on the New container page, there is the Name and Public access level.
Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.
New container page

Top comments (0)