Today we would like to check the working solution for immutable storage in Azure. And I am really wondering how to configure that type of access:
If the access node is local server and resource is not appeared in Azure.
Best answer by JiyeView original
If your Media agent is on-prem you can use other methods to authenticate.
Easiest way would be to use the access key.
You can find the access key id from your azure portal > storage account > your storage account > access keys on the left panel under Security+Networking.
When you use this, you don’t need to assign role to your storage account because this works like a root password (has all permissions)
When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select your local MediaAgent, select Access & secret keys, leave service host to blob.core.windows.net, click Create new for credentials.
Then add the credential name, then put your storage account as ‘Account name’ and add the key that you copied from azure portal.
Then find the container on azure portal under the storage account, specify it, and continue.
The second method is to create an application on azure and use it to authenticate. On azure portal, go to App registration and New registration. Name the application and register.
Then go to the storage account > IAM > Add the application as ‘Contributor’
When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select MediaAgent, select IAM AD application role assignment, leave service host to blob.core.windows.net, click Create new for credentials.
For the Tenant id, application id, copy it from your azure portal > app registration > your app > overview.
For application secret, on your azure portal > app registration > your app > certificates & secret > +new client secret and copy it from there
For account name, type your storage account name (jlsoutheast in my case).
Hello Onno van den Berg,
From our configuration backup I use mostly the first option, so using direct key from Azure portal and creating some Access account in the Commserve server.
But Another question which appeared in my head is how the local Media Agent is connected to the storage account which protocol is using to send the data on them (http or https). It is very important from site of secure sending data. I checked documentation but I can’t find out that information which is very critical for configuration part.
Thanks for the details how it can be set and what’s type of configuration can be implemented. Your way of showing what can be done in the case is simple and clear :). As I remember I used the first approach with Storage Account Key.
I have one question more, maybe You know which option is more secure?