| title | Create an Azure storage account with managed identity |
|---|---|
| description | Create a storage account that a deployed Python (Django or Flask) web app can access in Azure using managed identity. |
| ms.devlang | python |
| ms.topic | tutorial |
| ms.date | 07/20/2022 |
| ms.custom | devx-track-python, devx-track-azurecli, vscode-azure-extension-update-completed |
This article is part of a tutorial about deploying a Python app to Azure App Service. The web app uses managed identity to authenticate to other Azure resources. In this article, you'll create an Azure Blob Storage account to store images saved by the sample app.
:::image type="content" source="./media/python-web-app-managed-identity/system-diagram-local-to-deploy-python-managed-identity-storage-800px.png" lightbox="./media/python-web-app-managed-identity/system-diagram-local-to-deploy-python-managed-identity-storage.png" alt-text="A screenshot showing the Azure services in the tutorial used with Azure Blob Storage highlighted." :::
Sign in to the Azure portal and follow these steps to create an Azure Storage account.
| Instructions | Screenshot |
|---|---|
| [!INCLUDE Create storage account step 1] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-account-azure-portal-1-240px.png" alt-text="A screenshot showing how to use the search box in the top tool bar to find storage accounts in Azure." lightbox="./media/python-web-app-managed-identity/create-storage-account-azure-portal-1.png"::: |
| [!INCLUDE Create storage account step 2] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-account-azure-portal-2-240px.png" alt-text="A screenshot showing the create button on the storage accounts page used to create a new storage account." lightbox="./media/python-web-app-managed-identity/create-storage-account-azure-portal-2.png"::: |
| [!INCLUDE Create storage account step 3] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-account-azure-portal-3-240px.png" alt-text="A screenshot showing the form to fill out to create a new storage account in Azure." lightbox="./media/python-web-app-managed-identity/create-storage-account-azure-portal-3.png"::: |
| [!INCLUDE Create storage account step 4] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-account-azure-portal-4-240px.png" alt-text="A screenshot of the completion page after a storage account has been created. This page contains a button that will take you to the storage account you created." lightbox="./media/python-web-app-managed-identity/create-storage-account-azure-portal-4.png"::: |
| [!INCLUDE Create storage account step 5] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-account-azure-portal-5-240px.png" alt-text="A screenshot of how to create a container in a storage account." lightbox="./media/python-web-app-managed-identity/create-storage-account-azure-portal-5.png"::: |
To create Azure resources in VS Code, you must have the Azure Tools extension pack and the Azure Storage extension installed, and be signed into Azure from VS Code.
| Instructions | Screenshot |
|---|---|
| [!INCLUDE A screenshot showing how to find Azure extension in Visual Studio Code] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-visual-studio-code-1-240px.png" lightbox="./media/python-web-app-managed-identity/create-storage-visual-studio-code-1.png" alt-text="A screenshot showing how to use Visual Studio Code Azure extension pack with the Storage extension." ::: |
| [!INCLUDE A screenshot showing how to find the Azure Storage extension in Visual Studio Code] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-visual-studio-code-2-240px.gif" lightbox="./media/python-web-app-managed-identity/create-storage-visual-studio-code-2.gif" alt-text="A screenshot showing how to create a storage account with the Azure Tools extension." ::: |
| [!INCLUDE A screenshot showing how to configure the new storage] | :::image type="content" source="./media/python-web-app-managed-identity/create-storage-visual-studio-code-3-240px.png" lightbox="./media/python-web-app-managed-identity/create-storage-visual-studio-code-3.png" alt-text="A screenshot showing how to create a storage container with the Azure extension." ::: :::image type="content" source="./media/python-web-app-managed-identity/create-storage-visual-studio-code-3b-240px.png" lightbox="./media/python-web-app-managed-identity/create-storage-visual-studio-code-3b.png" alt-text="A screenshot showing how to create a storage container with the Azure extension and add a container." ::: |
Azure CLI commands can be run in the Azure Cloud Shell or on a workstation with the Azure CLI installed.
Storage accounts are created using the az storage account create command. Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. Storage account names must also be unique across Azure.
Create a storage account.
[!INCLUDE Create storage account with CLI]
Create a container called photos in the storage account with the az storage container create command.
[!INCLUDE Create storage account with CLI]
In this step, you'll assign a role to a managed identity. A role is a collection of permissions for a scope or set of resources. Specifically, you assign the Storage Blob Data Contributor role to the app's managed identity so that the web app can access the storage account.
Grouping Azure resources into a single resource group is commonly done when developing applications that use Azure resources. Up to this point in the tutorial, the App Service and Storage Account you created should be in the same resource group. Therefore, you'll assign the storage role at the resource group level.
| Instructions | Screenshot |
|---|---|
| [!INCLUDE Assign managed identity to role step 1] | :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-1-240px.png" alt-text="A screenshot showing how to use the top search bar in the Azure portal to locate and navigate to a resource group in Azure. You'll assign roles (permissions) to this resource group." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-1.png"::: |
| [!INCLUDE Assign managed identity to role step 2] | :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-2-240px.png" alt-text="A screenshot showing the location of the Access control (IAM) menu item in the left-hand menu of an Azure resource group." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-2.png"::: |
| [!INCLUDE Assign managed identity to role step 3] | :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-3-240px.png" alt-text="A screenshot showing how to navigate to the role assignments tab and the location of the button used to add role assignments to a resource group." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-3.png"::: |
| [!INCLUDE Assign managed identity to role step 4] | :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-4-240px.png" alt-text="A screenshot showing how to filter to find role assignments to be added to the resource group." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-4.png"::: :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-4a-240px.png" alt-text="A screenshot showing how to select a role assignment to be added to the resource group." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-4a.png"::: |
| [!INCLUDE Assign managed identity to role step 5] | :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-5-240px.png" alt-text="A screenshot showing how to select managed identity as the type of user you want to assign the role (permission) on the add role assignments page." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-5.png"::: |
| [!INCLUDE Assign managed identity to role step 6] | :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-6-240px.png" alt-text="A screenshot showing how to use the select managed identities dialog to filter and select the managed identity to assign the role to." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-6.png"::: |
| [!INCLUDE Assign managed identity to role step 7] | :::image type="content" source="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-7-240px.png" alt-text="A screenshot of the final add role assignment screen where a user needs to select the Review + Assign button to finalize the role assignment." lightbox="./media/python-web-app-managed-identity/assign-managed-identity-to-role-azure-portal-7.png"::: |
A managed identity is assigned a role in Azure with the az role assignment create command. The general form of the command is:
[!INCLUDE Create role with CLI]
Three pieces of information are needed:
-
<managed-identity-id> that is the managed identity ID of the App Service. If needed, return to the App Service Identity page to get this ID.
-
<resource-group-name> that is the group the App Service and Storage Account were created in.
-
<role-name> that for this tutorial is Storage Blob Data Contributor.
In general, to get the role names that a service principal can be assigned to, use the az role definition list command.
[!INCLUDE Get the role names with CLI]
For example, if the managed identity object ID is 99999999-9999-9999-9999-999999999999, the resource group is msdocs-web-app-rg, then you can use the following command to assign the to Storage Blob Data Contributor role:
[!INCLUDE Create role example with CLI]
For information on assigning permissions at the resource or subscription level using the Azure CLI, see the article Assign Azure roles using the Azure CLI.
[!div class="nextstepaction"] Create an Azure database for PostgreSQL >>>