Cloudera Docs

Encrypting a storage account with a key vault that has role-based access control

To encrypt an ADLS Gen2 storage account that you would like to use with CDP with a key vault which has role-based access control set up, you need to perform the following steps on Azure Portal.

There are two scenarios described below:

  • The first scenario assumes that you have not yet created the ADLS Gen2 storage account required for CDP on Azure.

  • The second scenario assumes that you have already created the ADLS Gen2 storage account storage account required for CDP on Azure.

New storage account

The following steps should be performed in addition to the usual steps while creating the ADLS Gen2 account that you are planning to use with CDP.

Steps

  1. Create a managed identity. Let’s call it "key-vault-rbac".

  2. Create a key vault.
    1. The key vault should have "purge protection" and "soft-delete" enabled.
    2. The key vault should be located in the same subscription and region as the target CDP environment.
    3. Set up the key’s access policy to "Azure role-based access control".
  3. Navigate to the access control for this key vault and:
    1. Click on Add role assignment.
    2. Assign the "Key Vault Administrator" role to all of the following users:
      • The user who created this key vault
      • The user(s) who register a CDP environment using this key vault
      • All the users/managed Identities who will be accessing this key vault

  4. Once the key vault is created, create an RSA key with the size of 2048 bits.

  5. Navigate to the access control for this key vault and:
    1. Click on Add role assignment.
    2. Assign the "Key Vault Crypto Service Encryption User" role to the "key-vault-rbac" managed identity created earlier. This will enable access to this key vault from the storage account.
  6. Create the storage account and the managed Identities as mentioned in Minimal setup for cloud storage. During storage account creation, choose the following options to enable the customer managed key encryption for the storage account:
    1. Set Enable support for customer-managed keys to "All service types".
    2. Set Identity type to "User-assigned".
    3. Set User-assigned identity to the "key-vault-rbac" managed identity created earlier.

Existing storage account

In case your ADLA Gen2 storage account already exists, perform the following steps instead of the ones above. The requirement is that the storage account must have been created with "Enable support for customer-managed keys" set to "All service types". This cannot be set once the storage account exists, so if the storage account does not have this set, you cannot use it for this use case.

Steps

  1. Create a managed identity. Let’s call it "key-vault-rbac".

  2. Navigate to the access control for the key vault that you are using for CDP and:
    1. Click on Add role assignment.
    2. Assign the "Key Vault Crypto Service Encryption User" role to the "key-vault-rbac" managed identity created earlier. This will enable access to this key vault from the storage account.
  3. To enable the customer managed key encryption for the storage account used in CDP, the following options must be chosen during storage account creation:
    1. Verify that Enable support for customer-managed keys is set to "All service types".
    2. Set Identity type to "User-assigned".
    3. Set User-assigned identity to the "key-vault-rbac" managed identity created earlier.