Skip to main content

Configure PK Protect for Blob Storage

Azure cloud IDP browses the blobs present in the Azure General-purpose and Blob Storage Accounts. PK Protect Cloud IDP for Azure Blob only has one configurable property file.

File path: {Installation Path}/DgSecure/IDPs/CloudIDP/azure-credfile.properties


The properties for browsing the blobs, we need to first authenticate the Azure cloud IDP client with the Azure account we want to browse. For authentication, we need to register an “app” with the Azure Active Directory. During registration, you need to collect the following properties, which we will use for authentication:

  1. The Application ID

  2. The secret key associated with the application.

  3. Azure Tenant ID

  4. Azure Subscription ID

These need to be set in the azure-credfile.properties file found at the following location: /opt/Dataguise/DgSecure/IDPs/CloudIDP/ which looks like:

Azure Subscription

CODE
# Azure Subscription ID (e.g b5*****e-5**6-4**e-b**1-678******957)
subscription=u
# The Application ID (e.g b6****fc-8**a-4**c-9**e-aeb*******d2)
client=
The secret key
# The secret key associated with the application.
key=
Azure Tenant ID
# Azure Tenant ID
tenant=
managementURI=https\://management.core.windows.net/
baseURL=https\://management.azure.com/
authURL=https\://login.windows.net/
graphURL=https\://graph.windows.net/

The managementURI, baseURL, authURL, graphURL are set to Global Service URI. For using China Service URI, please modify them accordingly. Refer to link: https://msdn.microsoft.com/en-us/library/azure/dn578439.aspx 

*Note: Currently, the cloud IDP only runs on Linux/Unix platform only and the azure-credfile.properties file must be owned by the cloud IDP user having read permissions only, and no permissions for group and other (r--------).

Permission Requirements:

The app should have read permissions on Microsoft.Storage/storageAccounts/read and Microsoft.Storage/storageAccounts/listKeys/action. A role with the appropriate permissions must be assigned to the app. Below are some examples of roles that contain this permission and can be assigned to the app:

  1. Storage Account Contributor

  2. Contributor

  3. Virtual Machine Contributor

  4. Owner

  5. Refer to the following link for more details on roles: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles.

App Registration:

There are several ways to register an “app”. Below are a few links to illustrate this:

  1. Using Azure CLI:

    1. For Azure CLI 2.0 use the following link: https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?toc=%2fazure%2fazure-resource-manager%2ftoc.json

    2. For Azure CLI 1.0 use the following link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli

  2. Using Portal: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.