1 hour 52 minutes
In this next lesson, we're gonna talk about how we can secure our storage accounts using Azure Active directory.
Our objectives include using azure active directory with our storage services and the different ways we can interact with them.
And finally, how we get authorized access using managed identities.
So first, let's talk about securing data access with our back, and if you're not sure what are back is, it stands for role based access control.
And this is a concept where you only have access to the things you need.
For example, like an azure active directory. You don't need to be a global administrator all the time. Maybe you just need a lesser role in order to accomplish your job functions.
Within azure Active Directory, we have several built in rolls you can use, or you can define your own custom roles for accessing data and performing administrative actions.
For example, on the right, we have some of our built in roles here in working with our blob and Q data, such as storage blob, data contributor or a data owner
or a storage que data reader or message sender.
Now securing with our back and azure active directory only applies to our blob and Q data are file and table services do not.
Now you can assign are back to different scopes of your resource is you can do it at the storage account or an individual container or a Q, so you don't have to give access to everything. You can be a little more granular and prescriptive with it.
So we just talked about how we could secure access to our storage data. Using are different are back groups,
but we can also secure admin access using our back.
This is where you can allow management control over the storage account or the different services in it, without giving that person access to the data.
An example of some of these Aban roles include owner, contributor or storage access contributor.
So these roles will permit someone to manage the storage account. But it's not gonna allow them access to the blob or Q data within that account.
So I want to point out that I think that's very interesting. You could be the owner, but that's not going to grant you access to the data itself.
If you already have access using one of these admin groups and you need access to the data. You have to sign yourself. Another are back role for our visitor storage, and you're gonna sign that at the resource group. The storage account container Que scope.
So an example of this is, let's say we haven't admin. Ethan is assigned the Storage Blob data contributor role so they can contribute to the data within the Blob, and that's containers. However, in order to access the container in the Blob objects in the azure portal, it'll need a different roles, such as the reader role
assigned to either the storage account or the container itself.
We'll take a look at this insider demo.
Finally, we have the ability to used managed identities, and this is where you basically assigned on identity to a resource inside of Azure A. D.
An example of this would be like a virtual machine.
This is used for application authentication. So let's go back to that virtual machine I just mentioned. I could create a managed identity for it, and then we could give that managed identity or that virtual machine access to a storage account.
This would allow applications running on the virtual machine to access that storage account as the virtual machine.
So it's kind of like giving a user identity to your resource is inside of Asher.
The's managed identities are free and do not cost anything to use. Inside the azure tenant.
We have two different kinds. We can use the first ISS system assigned, and the main attributes with this is the life cycle of the managed identity is tied to the resource or the instance.
Let's go back to that virtual machine I mentioned. Let's say I created a managed identity for it, and it was system assigned. If I were to delete that virtual machine, he managed, identity would be deleted along with it, so they're tied together.
The other kind we have is user side, and this is a standalone, managed identity that you can then assign to different instances, much like on APP registration
that does it for some of our concepts. Let's jump out to the other portal, and for a demo, we're going to add data. Access to our storage account will add administrator access.
They will create a sign of managed identity for a virtual machine. Let's jump over there now.
Here we are back in the azure portal and let's go over into our storage accounts and access RJB T 2020 storage account.
And first, let's go into access control.
I want to point out what access I have on the storage account, so it's type in the first part of my name here and select it.
You can see I have the service administrator. It's a classic administrator role, and I should have full access to all. The resource is in the subscription,
so let's go back to overview and let's go into our containers. Let's select our vacation pics.
Let's go check out our access control here and verify my access as well.
Well, type in my name again selected there
and again. I have the service administrator cause it's inherited from the storage account,
so let's close this out.
Appear at the top. We have our authentication method. Right now. It's access key, but let's click this link here and switch over to Azure A D,
and you can see I get access tonight. I don't have access to view the data inside this container, even though I have administered or access for it.
This is because as I pointed back out on the slides. Actually, don't have access through my azure a D account to view the data inside this container.
Let's go back to access control. Let's select on ad. I'm going to scroll down here
and choose thes storage blob data reader. Let's just say my Azure 80 account just needs to be able to read the data.
We'll search for my name
and now that role of Simon has been made.
So let's go back to overview.
Let's try switching to Azure 80 user account authentication method again,
and I still get access denied. Sometimes it takes a few minutes, so let's go back to overview.
I'm going to refresh the page here real quick.
Let's try to access it again.
Still, I'm getting access denied, and this is gonna be because I actually don't have access at the storage account leveled to be able to read the data. So I'm missing a level here that I need to be able to access it. So let's go back to home. We'll go back into storage accounts, select rjb t 2020.
Now we're at the storage account level, not the container. Let's go back to access control. We'll go ahead and add a role assignment again
will choose the
blob storage reader role again.
We'll find my user account
Now, let's go ahead and check my access again. We'll search for my name. Select my user account.
You can see now at this storage account level have storage Blob Data Reader,
which is gonna be allowing me to have read access to storage vault containers and the data. And this is gonna be at this storage account level.
Let's go back into overview. We'll check out our containers,
go back into vacation pics
and first before we try to switch back over.
Let's go back into access control
our role assignments.
Scroll down. We'll see my name here twice once for this specific resource. I have the data reader and then also inherited from the parent or the storage account.
So I've kind of doubled up on my permissions. But that's okay. Let's go back to overview
and let's try to switch again.
Still access tonight. I will say this does take a few minutes. So if you're trying to follow along or you're working on this yourself later,
just have some patience and refresh to double check it, make sure it's working,
so let's refresh the page.
Let's try to switch back to the Azure 80 user account again,
and there we have it. It was able to switch, and I'm now able to see the data inside using my azure 80 user account.
So I was trying to demonstrate there is just because you might have access to the container. You may need to go up to the storage account level and give herself some type of reader access, whether it's specifically for the Blob or the Q
or just our general reader are back group that we've mentioned back in the slides.
Next, we need to take a look at creating manage identities and giving access to our storage account using that managed identity.
So in our example, we're going to use a virtual machine I already have created called Prod Web 01 Let's go into the virtual machine configuration here
and under settings and identity.
We have the option of creating the system assigned or user signed. Now I'm going to use system assigned because I want the identity to be associated with the life cycle of our virtual machine. So if I delete the virtual machine, the identity is deleted also,
and it's super simple. We just need to select status toe on and go ahead and save our settings here.
This message is is saying, Once we enable this, we can use it to assign permissions to resource is
and great. It's already created our identity. We have an object I d here that we could use if we needed it. But let's go back to home.
Let's go into storage accounts,
access rjb T 2020 storage account,
and we're going to go under access control
and let's go ahead and click on the add button
I'm going to select a roll. We're gonna go back to our storage blob data reader. So let's say this virtual machine just needs reader access to our blob storage.
We're gonna search for our virtual machine name
and there it is. There's a virtual machine, so it shows up just like a user account.
We'll select it.
Go ahead and save,
and once that's complete, let's go into role assignments.
You can see right down here we have prod Web A want it now has
storage blob data reader to our entire storage account.
So this is going to allow applications running on that virtual machine to access our storage account and read our blob storage data
That does it for a demo. Jump back to the slides and wrap this up.
That is it for a demo. Inside this lesson, we discussed securing access to data using Azure 80
securing admin access using Azure 80
and then finally using managed identities.
Next, we're going to take a look at how we can configure shared encryption keys for a storage account.
See you in the next episode.