Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 2 Enable managed identity for your Recovery Services vault

@20aman    Jun 25, 2020

Azure Backup uses system assigned managed identity to authenticate the Recovery Services vault to access encryption keys stored in the Azure Key Vault. We will be using this identity later to provide permissions inside the Key Vault.

To enable the managed identity for the Recovery Services vault, navigate to the vault and select "Identity" under Settings. Toggle the Status to On. Click the save button to save the settings.

Identity settings

You will get a warning explaining that you are setting up the managed identity for the vault and that the vault will be accessible via Active Directory managed identity. Hit Ok to proceed. Once the settings are saved, you will see an Object Id. Take a note of this Id. You will also see a button for "Azure role assignments" where you can manage the permissions for this managed identity.

Saved Identity settings

Note:

  • A system assigned managed identity is restricted to one per resource.
  • It is tied to the lifecycle of this resource. This means that when the resource is deleted its managed identity will also be deleted.
  • You can assign permissions to this identity in RBAC similar to how you assign permissions to individual users
  • The managed identity is authenticated with Azure AD, so you don’t have to store any credentials in code.





Comments powered by Disqus