Setting up an Instance Identity for SFTP Gateway
Overview
This article goes over how to set up SFTP Gateway v3 with a System-Assigned Managed Identity.
Cloud Connections can then use this Identity, instead of hard-coding a Connection String or Key.
Note: Be sure to complete steps under Create a Managed Identity before creating an initial admin account for your VM.
Create a Managed Identity
A Managed Identity lets you assign permissions to a VM.
This can include access to a Blob Storage Account.
In this section, you will create a System-Assigned Managed Identity for the VM.
Then, you will assign it permissions to Blob storage.
Step 1
When setting up the VM, under Management be sure to select System assigned managed identity.
Step 2
Once you have created your VM, under Settings go to identity.
You will see two tabs:
- System assigned
- User assigned
It will default to System assigned, which is what you want.
Under Permissions, click Azure role assignments.
Step 3
Click Add role assignment (Preview).
This will open a modal window.
Under Scope, select Resource group.
Under Subscription, select the subscription you are currently under.
Under Resource group, select the resource group your VM is located in.
Under Role, select Contributer.
After you have properly configured your Role Assignment, press Create.
Note: If your account does not have the proper permissions you may not be able to create Role Assigments.
Note: This permission scope is rather broad, for demonstration purposes. Tailor down these permissions to fit your use case.
Step 4
When you create an Admin Account and log in after completing the prior steps, you will enter into the Web Admin Portal.
Usually you would be met with a create Cloud Connection popup but since you have established an Instance identity and role assignment for your VM a Cloud Connection has already been created for you.
To locate your container, go inside your resource group and match the name to what you see in the Web Admin Portal. You are also free to change the storage account and container provided they are also within the same resource group as the VM.