Tutorial: Access storage with a Media Services Managed Identity

Media Services logo v3


Warning

Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.

Note

Managed identities are only available for Media Services accounts created using the v3 API. If you are using the v2 API and would like to use managed identities, please migrate from v2 to v3 Migrate from Media Services v2 to v3 introduction.

If you would like to access a storage account when the storage account is configured to block requests from unknown IP addresses, the Media Services account must be granted access to the Storage account. Follow the steps below to create a Managed Identity for the Media Services account and grant this identity access to storage using the Media Services CLI.

Media Services account uses a Managed Identity to access storage

This tutorial uses the 2020-05-01 Media Services API.

Overview

Warning

You cannot use JobInputHTTP or SAS URLs with a storage account that isn't associated with a Media Services account. These are intended as a convenience for customers who have existing content that can be accessed using HTTP(S), for example if you have media files on a public facing server or stored with another cloud provider. If you are building new solutions, use Assets for job inputs.

To secure access to a storage account used by Media Services:

  • Configure the storage account to deny all IP addresses (or only allow IP addresses in the customer’s network)
  • Configure the storage account to allow access to “AzureServices”
  • Configure Media Services to access the storage account using Managed Identity
  • Upload media content to Media Services Assets
  • Create encoding jobs which use Media Services Assets as the job input. DO NOT use SAS URLS or JobInputHTTP.

Sign in to Azure

To use any of the commands in this article, you first have to be signed in to the subscription that you want to use.

Sign in to Azure. When you use this command, you will be prompted for the subscription you want to use.

az login

Set subscription

Use this command to set the subscription that you want to work with.

Set the Azure subscription with the CLI

In the following command, provide the Azure subscription ID that you want to use for the Media Services account.

az account set --subscription <subscriptionName>

Resource names

Before you get started, decide on the names of the resources you'll create. They should be easily identifiable as a set, especially if you are not planning to use them after you are done testing. Naming rules are different for many resource types so it's best to stick with all lower case. For example, "mediatest1rg" for your resource group name and "mediatest1stor" for your storage account name. Use the same names for each step in this article.

You'll see these names referenced in the commands below. The names of resources you'll need are:

  • myRG
  • myStorageAccount
  • myAmsAccount
  • location

Note

The hyphens above are only used to separate guidance words. Because of the inconsistency of naming resources in Azure services, don't use hyphens when you name your resources. Also, you don't create the region name. The region name is determined by Azure.

List Azure regions

If you're not sure of the actual region name to use, use this command to get a listing:

Use this command to list the regions available for your account.

az account list-locations --query "[].{DisplayName:displayName, Name:name}" -o table

Sequence

Each of the steps below is done in a particular order because one or more values from the JSON responses are used in the next step in the sequence.

Create a Storage account

The Media Services account you'll create must have a storage account associated with it. Create the storage account for the Media Services account first. You'll use the storage account name that replaces myStorageAccount for subsequent steps.

Create an Azure Storage account with the CLI

Use the following commands to create an Azure Storage account.

To create a storage account, you must first create a resource group within a location.

To list available locations, use the following command:

List available locations with the CLI

To list available locations, use the following command:

az account list-locations

Create a resource group with the CLI

To create a resource group, use the following command:

az group create -n <resourceGroupName> --location chooseLocation

Choose a SKU

You also need to choose a SKU for your storage account. You can list storage accounts.

Choose a SKU from the following list: Standard_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_LRS, Premium_ZRS, Standard_GZRS, Standard_RAGZRS.

  • Change myStorageAccount to a unique name with a length of fewer than 24 characters.
  • Change chooseLocation to the region you want to work within.
  • Change chooseSKU to your preferred SKU.
az storage account create -n <myStorageAccount> -g <resourceGroup>  --location <chooseLocation> --sku <chooseSKU>

Create a Media Services account with a Service Principal (Managed Identity)

Now create the Media Services account with a Service Principal, otherwise known as a Managed Identity.

Important

It is important that you remember to use the --mi flag in the command. Otherwise you will not be able to find the principalId for a later step.

The following Azure CLI command creates a new Media Services account. Replace the following values: your-media-services-account-name your-storage-account-name, and your-resource-group-name with the names you want to use. The command assumes that you have already created a resource group and a Storage account.

It gives the Media Services account a system assigned managed identity with the --mi-system-assigned flag.


az ams account create --name <your-media-services-account-name> --resource-group <your-resource-group-name> --mi-system-assigned --storage-account <your-storage-account-name>

Example JSON response:

{
  "encryption": {
    "keyVaultProperties": null,
    "type": "SystemKey"
  },
  "id": "/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/your-resource-group/providers/Microsoft.Media/mediaservices/your-media-services-account-name",
  "identity": {
    "principalId": "00000000-0000-0000-0000-00000000",
    "tenantId": "00000000-0000-0000-0000-00000000",
    "type": "SystemAssigned"
  },
  "location": "your-region",
  "mediaServiceId": "00000000-0000-0000-0000-00000000",
  "name": "your-media-services-account-name",
  "resourceGroup": "your-resource-group",
  "storageAccounts": [
    {
      "id": "/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/mediatest1rg/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
      "resourceGroup": "your-resource-group",
      "type": "Primary"
    }
  ],
  "storageAuthentication": "System",
  "systemData": {
    "createdAt": "2021-05-14T21:25:12.3492071Z",
    "createdBy": "[email protected]",
    "createdByType": "User",
    "lastModifiedAt": "2021-05-14T21:25:12.3492071Z",
    "lastModifiedBy": "[email protected]",
    "lastModifiedByType": "User"
  },
  "tags": null,
  "type": "Microsoft.Media/mediaservices"
}

Grant the Media Services Managed Identity access to the Storage account

Grant the Media Services Managed Identity access to the Storage account. There are three commands:

Get (show) the Managed Identity of the Media Services account

The first command below shows the Managed Identity of the Media Services account which is the principalId listed in the JSON returned by the command.

This command shows all of the properties of a Media Services account.

az ams account show --name <your-media-services-account-name> --resource-group <your-resource-group>

Note

If you have assigned access roles to the Media Services account, this line will return "storageAuthentication": "ManagedIdentity".

Example JSON response:

{
  "encryption": {
    "keyVaultProperties": null,
    "type": "SystemKey"
  },
  "id": "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/your-resource-group-name/providers/Microsoft.Media/mediaservices/your-media-services-account",
  "identity": {
    "principalId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",
    "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
    "type": "SystemAssigned"  //Type will show "Managed Identity" if you have assigned a role to the Media Services account.
  },
  "location": "your-region",
  "mediaServiceId": "00000000-0000-0000-0000-000000000000",
  "name": "your-media-services-account",
  "resourceGroup": "your-resource-group-name",
  "storageAccounts": [
    {
      "id": "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
      "resourceGroup": "your-resource-group-name",
      "type": "Primary"
    }
  ],
  "storageAuthentication": "System", //If you have assigned access roles to the account, this line will return storageAuthentication": "ManagedIdentity"
  "systemData": {
    "createdAt": "2021-05-14T21:25:12.3492071Z",
    "createdBy": "[email protected]",
    "createdByType": "User",
    "lastModifiedAt": "2021-05-14T21:25:12.3492071Z",
    "lastModifiedBy": "[email protected]",
    "lastModifiedByType": "User"
  },
  "tags": null,
  "type": "Microsoft.Media/mediaservices"
}

Create the Storage Blob Contributor role assignment

The following command creates a Storage Blob Contributor role.

Change assignee to the principalId. The command assumes that you have already created a resource group and a Storage account. Use your-resource-group-name and your-storage-account-name as part of the scope value as shown in the command below:

az role assignment create --assignee 00000000-0000-0000-000000000000 --role "Storage Blob Data Contributor" --scope "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/<your-resource-group-name>/providers/Microsoft.Storage/storageAccounts/<your-storage-account-name>"

Example JSON response:

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-000000000000",
  "name": "00000000-0000-0000-000000000000",
  "principalId": "00000000-0000-0000-000000000000",
  "principalType": "ServicePrincipal",
  "resourceGroup": "your-resource-group-name",
  "roleDefinitionId": "/subscriptions/00000000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-000000000000",
  "scope": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
  "type": "Microsoft.Authorization/roleAssignments"
}

Create the Reader role assignment

The following command creates a Reader role.

Change assignee to the principalId. The command assumes that you have already created a resource group and a Storage account. Use your-resource-group-name and your-storage-account-name as part of the scope value as shown in the command below:

az role assignment create --assignee 00000000-0000-0000-000000000000 --role "Reader" --scope "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name"

Example JSON response:

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-000000000000",
  "name": "00000000-0000-0000-000000000000",
  "principalId": "00000000-0000-0000-000000000000",
  "principalType": "Reader",
  "resourceGroup": "your-resource-group-name",
  "roleDefinitionId": "/subscriptions/00000000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-000000000000",
  "scope": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
  "type": "Microsoft.Authorization/roleAssignments"
}

Use the Managed Identity to access the Storage account

The following command gives a Media Services Managed Identity access to a storage account.

In the command below, change your-resource-group-name to the resource group name, and your-media-services-account-nameto the Media Services account name you want to work with:

az ams account storage set-authentication --storage-auth ManagedIdentity --resource-group <your-resource-group_name> --account-name <your-media-services-account-name>

Example JSON response:

{
  "encryption": {
    "keyVaultProperties": null,
    "type": "SystemKey"
  },
  "id": "/subscriptions/00000000-0000-0000-00000000/resourceGroups/your-resource-group-name/providers/Microsoft.Media/mediaservices/your-storage-account-name",
  "identity": null,
  "location": "West US 2",
  "mediaServiceId": "00000000-0000-0000-00000000",
  "name": "your-media-services-account",
  "resourceGroup": "your-resource-group-name",
  "storageAccounts": [
    {
      "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
      "resourceGroup": "your-resource-group-name",
      "type": "Primary"
    }
  ],
  "storageAuthentication": "ManagedIdentity",
  "systemData": {
    "createdAt": "2021-05-17T19:15:00.8850297Z",
    "createdBy": "[email protected]",
    "createdByType": "User",
    "lastModifiedAt": "2021-05-17T21:23:11.3863627Z",
    "lastModifiedBy": "[email protected]",
    "lastModifiedByType": "User"
  },
  "tags": null,
  "type": "Microsoft.Media/mediaservices"
}

Validation

To verify the account is encrypted using a Customer Managed Key, view the account encryption properties:

This command shows all of the properties of a Media Services account.

az ams account show --name <your-media-services-account-name> --resource-group <your-resource-group>

Note

If you have assigned access roles to the Media Services account, this line will return "storageAuthentication": "ManagedIdentity".

Example JSON response:

{
  "encryption": {
    "keyVaultProperties": null,
    "type": "SystemKey"
  },
  "id": "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/your-resource-group-name/providers/Microsoft.Media/mediaservices/your-media-services-account",
  "identity": {
    "principalId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",
    "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
    "type": "SystemAssigned"  //Type will show "Managed Identity" if you have assigned a role to the Media Services account.
  },
  "location": "your-region",
  "mediaServiceId": "00000000-0000-0000-0000-000000000000",
  "name": "your-media-services-account",
  "resourceGroup": "your-resource-group-name",
  "storageAccounts": [
    {
      "id": "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
      "resourceGroup": "your-resource-group-name",
      "type": "Primary"
    }
  ],
  "storageAuthentication": "System", //If you have assigned access roles to the account, this line will return storageAuthentication": "ManagedIdentity"
  "systemData": {
    "createdAt": "2021-05-14T21:25:12.3492071Z",
    "createdBy": "[email protected]",
    "createdByType": "User",
    "lastModifiedAt": "2021-05-14T21:25:12.3492071Z",
    "lastModifiedBy": "[email protected]",
    "lastModifiedByType": "User"
  },
  "tags": null,
  "type": "Microsoft.Media/mediaservices"
}

The storageAuthentication property should show “ManagedIdentity”.

For additional validation, you can check the Azure Storage logs to see which authentication method is used for each request.

Clean up resources

If you aren't planning to use the resources you created, delete the resource group.

Delete a resource group with the CLI

az group delete --name <your-resource-group-name>

Get help and support

You can contact Media Services with questions or follow our updates by one of the following methods: