Setting up an Instance Identity for SFTP Gateway
Overview
This article goes over how to set up SFTP Gateway v3 with a System-Assigned Managed Identity.
Cloud Connections can then use this Identity, instead of hard-coding a Connection String or Key.
Note: Using Instance Identity on a Storage Account with HNS (hierarchical namespace) enabled may cause issues. If your Storage Account has HNS enabled, we recommend using a connection string instead.
Create a Managed Identity
A Managed Identity lets you assign permissions to a VM.
This can include access to a Blob Storage Account.
In this section, you will create a System-Assigned Managed Identity for the VM.
Then, you will assign it permissions to Blob storage.
Step 1
When setting up the VM, under Management be sure to select System assigned managed identity.
Step 2
Once you have created your VM, under Settings go to identity.
You will see two tabs:
- System assigned
- User assigned
It will default to System assigned, which is what you want.
Under Permissions, click Azure role assignments.
Step 3
Click Add role assignment (Preview).
This will open a modal window.
Under Scope, select Resource group.
Under Subscription, select the subscription you are currently under.
Under Resource group, select the resource group your VM is located in.
Under Role, select Contributor if you are on version 3.3.0 and earlier. Select Storage Blob Data Contributor if you are on version 3.3.2 and later.
After you have properly configured your Role Assignment, press Create.
Note: If your account does not have the proper permissions you may not be able to create Role Assigments.
Once you log into the Web Admin UI, you will now be able to use instance identity for your Cloud Connection Credentials.