Creating managed identities

Once you’ve created the storage account and file system within it, create the managed identities and then assign roles with specific scopes to these identities.

You can reuse the same resource group that you created for the storage account or you can optionally create a new resource group that can act as a logical grouping of managed identities.

You need to create four managed identities (Assumer Identity, Data Lake Admin Identity, Ranger Audit Logger Identity, and Logger Identity). Use the following steps to create these managed identities:

  1. On Azure Portal, navigate to Managed Identities.
  2. Click +Add.
  3. Specify managed identity name and select the resource group that you created earlier.

Repeat these steps to create each of the four managed identities. Once you’ve created these managed identities, assign roles with specific scopes (subscription or storage account) to these identities as follows.

Assumer managed identity

Assign the Virtual Group Contributor role to the Assumer Identity on subscription level.

  1. Navigate to Subscriptions > your subscription > Access Control (IAM).
  2. Click +Add.
  3. Under Add role assignment:
    1. Under Role, select Virtual Machine Contributor.
    2. Under Assign access to, select User assigned managed identity.
    3. Under Select, select the Assumer Identity created earlier.
    4. Click Save.
  4. Repeat the role assignment steps 2-3, but this time assign the Managed Identity Operator role to the Assumer Identity.
Next, assign the Storage Blob Data Contributor role to the Assumer Identity managed identity on the scope of the container created earlier for Logs Location Base:
  1. Navigate to Storage accounts > your storage account > Containers > your container > Access Control (IAM).
  2. Click +Add > Add role assignment.
  3. Under Add role assignment:
    1. Under Role, select Storage Blob Data Contributor.
    2. Under Assign access to, select User assigned managed identity.
    3. Under Select, select the Assumer Identity created earlier.
    4. Click Save.

Data Lake Admin Identity

Assign the Storage Blob Data Owner role to the Data Lake Admin managed identity on the scope of the two containers created earlier for Storage Location Base and Logs Location Base for each of the two containers created.

  1. Navigate to Storage accounts > your storage account > Containers > your container > Access Control (IAM).
  2. Click +Add > Add role assignment.
  3. Under Add role assignment:
    1. Under Role, select Storage Blob Data Owner.
    2. Under Assign access to, select User assigned managed identity.
    3. Under Select, select the Data Lake Admin Identity created earlier.
    4. Click Save.

Repeat these steps for both containers.

Ranger Audit Logger Identity

Assign the Storage Blob Data Contributor role to the Ranger Audit Logger managed identity on the scope of the container created earlier for Storage Location Base.

  1. Navigate to Storage accounts > your storage account > Containers > your container > Access Control (IAM).
  2. Click +Add > Add role assignment.
  3. Under Add role assignment:
    1. Under Role, select Storage Blob Data Contributor.
    2. Under Assign access to, select User assigned managed identity.
    3. Under Select, select the Ranger Audit Logger Identity created earlier.
    4. Click Save.

Logger Identity

Assign the Storage Blob Data Contributor role to the Logger managed identity on the scope of the container created earlier for Logs Location Base.

  1. Navigate to Storage accounts > your storage account > Containers > your container > Access Control (IAM).
  2. Click +Add > Add role assignment.
  3. Under Add role assignment:
    1. Under Role, select Storage Blob Data Contributor.
    2. Under Assign access to, select User assigned managed identity.
    3. Under Select, select the Logger Identity created earlier.
    4. Click Save.

After performing these steps, you should have the required managed identities created and their roles assigned on the correct scope.