Trusted storage for Media Services
When you create a Media Services account, you must associate it with a storage account. Media Services can access that storage account using system authentication or Managed Identity authentication. Media Services validates that the user adding the association has access the storage account with Azure Resource Manager RBAC.
Usage of cross-subscription storage accounts
Note
When Media Services is configured to use Managed Identity to access storage, Media Services can use any storage account that the Managed Identity can access.
When using System authentication to storage, the storage account must be in the same subscription as the Media Services account. Use storage accounts in the same region as the Media Services account to avoid additional data egress costs.
For both authentication types, the principal that creates or updates the Media Services account must have the 'Microsoft.Storage/storageAccounts/listkeys/action' permission over the storage account.
Note
Trusted storage is only available in the API, and is not currently enabled in the Azure portal.
Trusted storage with a firewall
However, if you want to use a firewall to secure your storage account and enable trusted storage, Managed Identities authentication is the preferred option. It allows Media Services to access the storage account that has been configured with a firewall or a VNet restriction through trusted storage access.
Tutorial
You can learn more about enabling trusted storage with the Media Services trusted storage tutorial.
Note
You need to grant the AMS Managed Identity Storage Blob Data Contributor access in order for Media Services to be able to read and write to the storage account. Granting the generic Contributor role won’t work as it doesn’t enable the correct permissions on the data plane.
Further reading
To understand the methods of creating trusted storage with Managed Identities, read Managed Identities and Media Services.
For more information about Trusted Microsoft Services, see Configure Azure Storage firewalls and virtual networks.
Get help and support
You can contact Media Services with questions or follow our updates by one of the following methods:
- Q & A
- Stack Overflow. Tag questions with
azure-media-services
. - @MSFTAzureMedia or use @AzureSupport to request support.
- Open a support ticket through the Azure portal.