Tutorial: Use a Key Vault key to encrypt data into a Media Services account
Warning
Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.
Note
Managed identities are only available for Media Services accounts created using the v3 API. If you are using the v2 API and would like to use managed identities, please migrate from v2 to v3 Migrate from Media Services v2 to v3 introduction.
If you'd like Media Services to encrypt data using a key from your Key Vault, the Media Services account must be granted access to the Key Vault. Follow the steps below to create a Managed Identity for the Media Services account and grant this identity access to your Key Vault using the Media Services CLI.
This tutorial uses the 2020-05-01 Media Services API.
Sign in to Azure
To use any of the commands in this article, you first have to be signed in to the subscription that you want to use.
Sign in to Azure. When you use this command, you will be prompted for the subscription you want to use.
az login
Set subscription
Use this command to set the subscription that you want to work with.
Set the Azure subscription with the CLI
In the following command, provide the Azure subscription ID that you want to use for the Media Services account.
az account set --subscription <subscriptionName>
Resource names
Before you get started, decide on the names of the resources you'll create. They should be easily identifiable as a set, especially if you are not planning to use them after you are done testing. Naming rules are different for many resource types so it's best to stick with all lower case. For example, "mediatest1rg" for your resource group name and "mediatest1stor" for your storage account name. Use the same names for each step in this article.
You'll see these names referenced in the commands below. The names of resources you'll need are:
- myRG
- myStorageAccount
- myAmsAccount
- myKeyVault
- myKey
- location
Note
The hyphens above are only used to separate guidance words. Because of the inconsistency of naming resources in Azure services, don't use hyphens when you name your resources. Also, you don't create the region name. The region name is determined by Azure.
List Azure regions
If you're not sure of the actual region name to use, use this command to get a listing:
Use this command to list the regions available for your account.
az account list-locations --query "[].{DisplayName:displayName, Name:name}" -o table
Sequence
Each of the steps below is done in a particular order because one or more values from the JSON responses are used in the next step in the sequence.
Create a Storage account
The Media Services account you'll create must have a storage account associated with it. Create the storage account for the Media Services account first. You'll use your-storage-account-name for subsequent steps.
Create an Azure Storage account with the CLI
Use the following commands to create an Azure Storage account.
To create a storage account, you must first create a resource group within a location.
To list available locations, use the following command:
List available locations with the CLI
To list available locations, use the following command:
az account list-locations
Create a resource group with the CLI
To create a resource group, use the following command:
az group create -n <resourceGroupName> --location chooseLocation
Choose a SKU
You also need to choose a SKU for your storage account. You can list storage accounts.
Choose a SKU from the following list: Standard_LRS, Standard_GRS, Standard_RAGRS, Premium_LRS.
- Change
myStorageAccountto a unique name with a length of fewer than 24 characters. - Change
chooseLocationto the region you want to work within. - Change
chooseSKUto your preferred SKU.
az storage account create -n <myStorageAccount> -g <resourceGroup> --location <chooseLocation> --sku <chooseSKU>
Create a Media Services account with a Service Principal (Managed Identity)
Now create the Media Services account with a Service Principal, otherwise known as a Managed Identity.
Important
It is important that you remember to use the --mi flag in the command. Otherwise you will not be able to find the principalId for a later step.
The following Azure CLI command creates a new Media Services account. Replace the following values: your-media-services-account-name your-storage-account-name, and your-resource-group-name with the names you want to use. The command assumes that you have already created a resource group and a Storage account.
It gives the Media Services account a system assigned managed identity with the --mi-system-assigned flag.
az ams account create --name <your-media-services-account-name> --resource-group <your-resource-group-name> --mi-system-assigned --storage-account <your-storage-account-name>
Example JSON response:
{
"encryption": {
"keyVaultProperties": null,
"type": "SystemKey"
},
"id": "/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/your-resource-group/providers/Microsoft.Media/mediaservices/your-media-services-account-name",
"identity": {
"principalId": "00000000-0000-0000-0000-00000000",
"tenantId": "00000000-0000-0000-0000-00000000",
"type": "SystemAssigned"
},
"location": "your-region",
"mediaServiceId": "00000000-0000-0000-0000-00000000",
"name": "your-media-services-account-name",
"resourceGroup": "your-resource-group",
"storageAccounts": [
{
"id": "/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/mediatest1rg/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
"resourceGroup": "your-resource-group",
"type": "Primary"
}
],
"storageAuthentication": "System",
"systemData": {
"createdAt": "2021-05-14T21:25:12.3492071Z",
"createdBy": "you@example.com",
"createdByType": "User",
"lastModifiedAt": "2021-05-14T21:25:12.3492071Z",
"lastModifiedBy": "you@example.com",
"lastModifiedByType": "User"
},
"tags": null,
"type": "Microsoft.Media/mediaservices"
}
Create a Key Vault
Create the Key Vault. The Key Vault is used to encrypt media data. You'll use your-keyvault-name to create your key and for later steps.
Use the following commands to create a Key Vault and key. Change your-resource-group-name, your-keyvault-name and your-key-name to the values you want to use. The command assumes that you have already created a resource group.
Note
The --bypass AzureServices allows Media Services (and other Azure Services) to access the Key Vault when that access would normally be blocked by the Key Vault network ACLs
The --enable-purge-protection If it is not set, you will not be able to use your key.
Create the Key Vault
az keyvault create --resource-group <your-resource-group-name> --bypass AzureServices --enable-purge-protection --name <your-keyvault-name>
Example JSON response:
{
"id": "/subscriptions/the-subscription-id/resourceGroups/your-resource-group-name/providers/Microsoft.KeyVault/vaults/your-keyvault-name",
"location": "your-region",
"name": "your-keyvault-name",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover"
],
"keys": [
"get",
"create",
"delete",
"list",
"update",
"import",
"backup",
"restore",
"recover"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
},
"tenantId": "the-tenant-id"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableRbacAuthorization": null,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"softDeleteRetentionInDays": 90,
"tenantId": "the-tenant-id",
"vaultUri": "https://your-keyvault-name.vault.azure.cn/"
},
"resourceGroup": "your-resource-group-name",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
Create the key
az keyvault key create --kty RSA --name your-key-name --vault-name your-keyvault-name
Example JSON response:
{
"attributes": {
"created": "2021-05-12T22:41:29+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Recoverable",
"updated": "2021-05-12T22:41:29+00:00"
},
"key": {
"crv": null,
"d": null,
"dp": null,
"dq": null,
"e": "AQAB",
"k": null,
"keyOps": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"kid": "https://your-keyvault-name.vault.azure.cn/keys/your-key-name/your-subsription-id",
"kty": "RSA",
"n": "THISISTHEKEY51V9thvU7KsBUo/q1mEOcuxqt0qUcnx0IRO9YCL32fPjD/nnS8hKS5qkgUKfe2NRAtzVQ+elQAha65l7OsHu+TXmH/n/RPCgstpqSdCfiUR1JTmFYFRWdxCPwoKJMYaqlCEhn2Dkon3StTN0Id0sjRSA/YOLjgWU7YnVbntg5/048HgcTKn3PCWCuJc+P8hI/8Os5EAIpun62PffYwPX0/NIA1PY8wIB+sYEY0zxVGwWrCu7VgCo9xeqbMQEq5OenYmYpc+cjLozU/ohGhfWTpQU8d7fFypTHQraENDOFKEY",
"p": null,
"q": null,
"qi": null,
"t": null,
"x": null,
"y": null
},
"managed": null,
"tags": null
}
Grant the Media Services System Assigned Managed Identity access to the Key Vault
Grant the Media Services Managed Identity access to the Key Vault. There are two commands:
Get (show) the Managed Identity of the Media Services account
The first command below shows the Managed Identity of the Media Services account which is the principalId listed in the JSON returned by the command.
This command shows all of the properties of a Media Services account.
az ams account show --name <your-media-services-account-name> --resource-group <your-resource-group>
Note
If you have assigned access roles to the Media Services account, this line will return "storageAuthentication": "ManagedIdentity".
Example JSON response:
{
"encryption": {
"keyVaultProperties": null,
"type": "SystemKey"
},
"id": "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/your-resource-group-name/providers/Microsoft.Media/mediaservices/your-media-services-account",
"identity": {
"principalId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",
"tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
"type": "SystemAssigned" //Type will show "Managed Identity" if you have assigned a role to the Media Services account.
},
"location": "your-region",
"mediaServiceId": "00000000-0000-0000-0000-000000000000",
"name": "your-media-services-account",
"resourceGroup": "your-resource-group-name",
"storageAccounts": [
{
"id": "/subscriptions/ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0/resourceGroups/your-resource-group-name/providers/Microsoft.Storage/storageAccounts/your-storage-account-name",
"resourceGroup": "your-resource-group-name",
"type": "Primary"
}
],
"storageAuthentication": "System", //If you have assigned access roles to the account, this line will return storageAuthentication": "ManagedIdentity"
"systemData": {
"createdAt": "2021-05-14T21:25:12.3492071Z",
"createdBy": "you@example.com",
"createdByType": "User",
"lastModifiedAt": "2021-05-14T21:25:12.3492071Z",
"lastModifiedBy": "you@example.com",
"lastModifiedByType": "User"
},
"tags": null,
"type": "Microsoft.Media/mediaservices"
}
Set the Key Vault policy
The second command grants the Principal ID access to the Key Vault. Set object-id to the value of principalId which you got from the previous step.
To use this command, you must include the Media Services principalId as the object-id. if you haven't already, use az ams account show --name <your-media-services-account-name> --resource-group <your-resource-group> to get this ID.
az keyvault set-policy --name <your-keyvault-name> --object-id <principalId> --key-permissions decrypt encrypt get list unwrapKey wrapKey
Example JSON response:
{
"id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/your-resource-group-name/providers/Microsoft.KeyVault/vaults/your-keyvault-name",
"location": "your-region",
"name": "your-keyvault-name",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "00000000-0000-0000-000000000000",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover"
],
"keys": [
"get",
"create",
"delete",
"list",
"update",
"import",
"backup",
"restore",
"recover"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
},
"tenantId": "00000000-0000-0000-000000000000"
},
{
"applicationId": null,
"objectId": "00000000-0000-0000-000000000000",
"permissions": {
"certificates": null,
"keys": [
"encrypt",
"get",
"list",
"wrapKey",
"decrypt",
"unwrapKey"
],
"secrets": null,
"storage": null
},
"tenantId": "00000000-0000-0000-000000000000"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableRbacAuthorization": null,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"softDeleteRetentionInDays": 90,
"tenantId": "00000000-0000-0000-000000000000",
"vaultUri": "https://your-keyvault-name.vault.azure.cn/"
},
"resourceGroup": "your-resource-group-name",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
Set Media Services to use the key from Key Vault
Set Media Services to use the key you've created. The value of the key-identifier property comes from the output when the key was created. This command may fail because of the time it takes to propagate access control changes. If this happens, retry after a few minutes.
To use this command, you must already have created a Key Vault and a key.
az ams account encryption set --account-name <your-media-services-account-name> --resource-group <your-resource-group> --key-type CustomerKey --key-identifier https://<your-keyvault-name>.vault.azure.cn/keys/<your-key-name>
Example JSON response:
{
"id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/your-resource-group-name/providers/Microsoft.KeyVault/vaults/your-keyvault-name",
"location": "your-region",
"name": "your-keyvault-name",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "00000000-0000-0000-000000000000",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover"
],
"keys": [
"get",
"create",
"delete",
"list",
"update",
"import",
"backup",
"restore",
"recover"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
},
"tenantId": "the-tenant-id"
},
{
"applicationId": null,
"objectId": "the-media-services-account-id",
"permissions": {
"certificates": null,
"keys": [
"encrypt",
"get",
"list",
"wrapKey",
"decrypt",
"unwrapKey"
],
"secrets": null,
"storage": null
},
"tenantId": "the-tenant-id"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableRbacAuthorization": null,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"softDeleteRetentionInDays": 90,
"tenantId": "the-tenant-id",
"vaultUri": "https://your-keyvault-name.vault.azure.cn/"
},
"resourceGroup": "your-resource-group-name",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
Validation
To verify the account is encrypted using a Customer Managed Key, view the account encryption properties:
Show account encryption with the CLI
For more information about this command, see the Media Services CLI reference.
The type property should show CustomerKey and the currentKeyIdentifier should be set to the path of a key in the customer’s Key Vault.
Clean up resources
If you aren't planning to use the resources you created, delete the resource group.
Delete a resource group with the CLI
az group delete --name <your-resource-group-name>