DEV Community

Cover image for How to provide a storage for a new company app.
EMMANUEL
EMMANUEL

Posted on

How to provide a storage for a new company app.

Azure Storage Account is a foundational service in Microsoft Azure that provides cloud-based storage for a variety of data types.

A company that is designing and developing a new app. Developers need to ensure the storage is only accessed using keys and managed identities. The developers would like to use role-based access control. To help with testing, protected immutable storage is needed.

            **Architecture diagram**
Enter fullscreen mode Exit fullscreen mode

Architecture diagram

In this Article, to provide a storage for a new company app, I will focus on these key skilling tasks

  • Create the storage account and managed identity
  • Secure access to the storage account with a key vault and key
  • Configure the storage account to use the customer managed key in the key vault
  • Configure an time-based retention policy and an encryption scope

Create a storage account and managed identity

1.To Provide a storage account for the web app. Steps:

(a) In the Azure portal, search for storage account and select grayed Storage accounts

storage account portal search

(b) Select + Create

+ Create

(c) For Resource group select Create new. Give the resource group a name and select OK to save your changes

Create new rg

(d) Provide a Storage account name. Ensure the name is unique and meets the naming requirements

storage account name

(e) Move to the Encryption tab

Encryption

(f) Check the box for Enable infrastructure encryption

Enable infrastructure encryption

(g) Select Review + Create. Wait for the resource to deploy

Review

Create

Complete deployment

Complete deployment

2.Provide a managed identity for the web app to use. Steps:

(a) In the portal, Search for and select Managed identities

Managed identity

(b) Select + Create

+ Create

(c) Select your resource group

Chose your resource group

(d) Give your managed identity a name

Managed identity

(e) Select Review and create, and then Create

Review

Create

Complete deployment

Complete deployment

3.To assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs. Steps:

(a) Search for and select your storage account(newappstorageaccount)

storage account

(b) Select the Access Control (IAM) blade

Access control

(c) Select Add role assignment

Add role assignment

(d) On the Job functions roles page, search for and select the Storage Blob Data Reader role. And click on** Next**

Job function role

(c) On the Members page, select Managed identity

Managed identity

(d) Select Select members, in the Managed identity drop-down select User-assigned managed identity.

User assigned managed identity

(e) Select the managed identity you created in the previous step.
Click Select

managed idenity

(f) Review + assign the role

Review + create

(g) Select Review + assign a second time to add the role assignment

Review + create

Role assigned

Role assigned

Secure access to the storage account with a key vault and key

1.To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions. Steps:

(a) In the portal, search for and select Resource groups

Resource group

(b) Select your resource group

created resource group

(c) go to the Access Control (IAM) blade, Select Add role assignment

Add role assignment

(d) On the Job functions roles page, search for and select the Key Vault Administrator role

Key vault Administrator

(e) On the** Members page*, select **User, group, or service principal*.

User assigned group or service principal

(f) Select Select members

Select members

(g) Search for and select your user account. Your user account is shown in the top right of the portal. Click Select

User account

(h) Review + assign. Select Review + assign a second time to add the role assignment

Review + create

Second Review + create

Role assigned

Role assigned

2.Create a key vault to store the access keys. Steps:

(a) In the portal, search for and select Key vaults

Key vaults

(b) Select + Create.

+ Create

(c) Select your resource group

created resource group

(d) Provide the name for the key vault. The name must be unique.

Key vault name

(e) Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected

Access configuration

(f) Select Review + create. Wait for the validation checks to complete and then select Create

Review + create

Create

(g) After the deployment, select Go to resource

Complete deployment

(h) On the Overview blade ensure both Soft-delete and Purge protection are enabled

Enable soft delete and purge protection

3.Create a customer-managed key in the key vault. Steps:

(a) In your key vault, in the Objects section, select the Keys blade

key

(b) Select Generate/Import

Generate/Import

(c) Name the key. Take the defaults for the rest of the parameters, and Create the key

Name of the key
key Created
Creating key

Newappkeys created

Configure the storage account to use the customer managed key in the key vault

1.Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity. Steps:

(a) In the portal, search for and select Resource groups

Resource group

(b) Select your resource group

coachraphrg

(c) Go to Access Control (IAM) blade. Select Add role assignment

Access control

(d) On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role. Then click Next

(e) On the Members page, select Managed identity

Managed identity

(f) Select Select members, in the Managed identity drop-down select User-assigned managed identity

User assigned managed identity

(g) Select your managed identity. Click on Select

Your managed identity

(h) Review + assign. Select Review + assign a second time to add the role assignment

Review + Create

Review + Create

Role assigned

Role assigned

2.Configure the storage account to use the customer managed key in your key vault. Steps:

(a) Return to your the storage account

Storage account

(b) In the Security + networking section, select the Encryption blade

Encryption

(c) Select Customer-managed keys

Customer managed keys

(d) Select a key vault and key.

Key vault and key

(e) Select your key vault and key. Select to confirm your choices

key vault and key

(f) Ensure the Identity type is User-assigned

User-assigned

(g) Select Select an identity.

Select identity

(h) Select your managed identity then select Add

Managed identity

(i) Save your changes. If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Save

Role added assignment

Role added assignment

Configure an time-based retention policy and an encryption scope

1.The developers require a storage container where files can’t be modified, even by the administrator. Steps:

(a) Navigate to your storage account

Storage account

(b) In the Data storage section, select the Containers blade.

Data container

(c) Create a container called hold. Take the defaults. Be sure to Create the container

Container

(d) Upload a file to the container

Upload a file

(e) In the Settings section, select the Access policy blade

Access policy

(f) In the Immutable blob storage section, select + Add policy.

Immutable blob storage

(g) For the Policy type, select time-based retention.
Set the Retention period to 5 days. Be sure to Save your changes.

Policy type and retention period

(h) Try to delete the file in the container.
Verify you are notified failed to delete blobs due to policy

Verifing delete blob

2.The developers require an encryption scope that enables infrastructure encryption. Steps:

(a) Navigate back to your storage account

storage account

(b) In the Security + networking blade, select Encryption

Encryption

(c) In the Encryption scopes tab, select Add

+Add encryption

(d) Give your encryption scope a name. The Encryption type is Microsoft-managed key. Set Infrastructure encryption to Enable

encryption name and settings

(e) Create the encryption scope

Create

Encrption scope name successfuly created

Added encryption

(f) The Encryption type is** Microsoft-managed** key.

Encryption type

(g) Return to your storage account .

Return to storage account

(h) Create a new container

To create new container

(i) Notice on the New container page, there is the Name and Public access level. Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container

Hold2 container

Top comments (1)

Collapse
 
realcloudprojects profile image
Skill.Sch

welldone