I have a 30 second sleep in the script itself. The role assignment that is the most critical here is the permission of key vault over the storage accounts. When that is done, we’ll need to wait a couple of seconds for the role assignments to propagate fully in Azure. Set-AzKeyVaultAccessPolicy -VaultName $kvname -UserPrincipalName $userId -PermissionsToStorage get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge Write-Output "Give my user access to KV storage permissions" # Give my user access to KV storage permissions New-AzRoleAssignment -ApplicationId $keyVaultSpAppId -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $stacc2.Id New-AzRoleAssignment -ApplicationId $keyVaultSpAppId -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $stacc.Id Write-Output "Give KV permissions on Storage to rotate keys" # Give KV permissions on Storage to rotate keys The control (Azure API) and data plane (Key Vault itself) are configured independently). Then we’ll give my user account permissions in the key vault itself ( FYI: Even if you are owner of a Key Vault that doesn’t give you access to the objects in the vault. First, we’ll give key vault permission to rotate the keys in the storage account. $kv = New-AzKeyVault -VaultName $kvname -ResourceGroupName $rgname -Location $location $stacc2 = New-AzStorageAccount -ResourceGroupName $rgname -Location $location -Name $staccname2 -SkuName Standard_LRS $stacc = New-AzStorageAccount -ResourceGroupName $rgname -Location $location -Name $staccname -SkuName Standard_LRS New-AzResourceGroup -Name $rgname -Location $location Meaning resource group, storage accounts and key vault: # Login I’ll walk you through the steps here.įirst up, we’ll setup a number of variables. If you want to execute this all-in-one, you can find the script on Github. To setup the storage accounts and have key vault manage the, I decided to use Azure PowerShell. Setting up storage accounts and key vault So, let’s start at the beginning, creating the two storage accounts, the key vault and configuring the key vault for managing the storage accounts. An Azure data factory, which will read data from storage account 1 and write it to storage account 2.This key vault will manage both storage accounts and generate SAS tokens. One will be read by ADF, another will be written to. I built a small demo environment for this demo. Overview of the demo we’ll build in this blog post The purpose of this post is to explain the mechanism and show you how this would work in ADF. A lot safer than leveraging the storage account master key. Permissions can be scoped to which service, can be time bound, can be limited by IP addresses etc. We will then use this managed identity of ADF to authenticate towards Key Vault to get the SAS tokens.įor those of you not familiar with SAS tokens: SAS tokens are a way to give access to Azure storage (works with blob, file, queue and table) with a limited set of permissions. ADF comes out of the box with a managed identity now. This means we will have Key Vault manage the Azure storage accounts and frequently rotate the keys, and have Key Vault use those keys to generate SAS token for us. Use the managed identity of ADF to authenticate to Azure blob storage.Have Key Vault manage your storage accounts, and get a dynamically created SAS token.Store a SAS token in Key Vault, and use Key Vault to get the SAS token.Store the storage connection string with master key in Key Vault, and authenticate ADF to Key Vault.Encode storage connection string with the storage account master key in ADF.
There are a couple options to achieve this: In working with this customer, a requirement came up to securely transfer data between blob storage accounts with the least permissions possible. ADF is a powerful cloud based data integration tool that lets you move data from a multitude of source, process that data and store it in a target data store. I am working with a customer right now that is doing a lot of work with Azure Data Factory (ADF).
0 kommentar(er)
