How can I obtain or create encryption scopes for an Azure storage account by using dotnet?

小龙 - Huron 吴 0

This document details the operations on encryption scopes.

https://learn.microsoft.com/en-us/rest/api/aiservices/accountmanagement/encryption-scopes/get?view=rest-aiservices-accountmanagement-2024-10-01&tabs=dotnet#examples

However, I'm not familiar with this.

TokenCredential cred = new DefaultAzureCredential(); // authenticate your client ArmClient client = new ArmClient(cred);

I usually use the storage account access key to interact with my containers and perform blob file uploads and downloads. Is it possible to obtain/create encryption scopes in a similar manner (by using the storage account access key)?

Edit:

Thank you very much for your reply. What I need to do is to create a container with an encryption scope through this code. Since the encryption scope is not created in advance, it needs to be created by code when creating the container. Since operating the encryption scope requires AAD authentication, is there a way to access it through something like a token?

var blobServiceClient = new BlobServiceClient(connectionString);
var containerClient = blobServiceClient.GetBlobContainerClient(blobContainerName); await containerClient.CreateIfNotExistsAsync(PublicAccessType.None, null, new BlobContainerEncryptionScopeOptions {
PreventEncryptionScopeOverride = true, DefaultEncryptionScope = blobContainerName
});

Is this method of creating a container with an encryption scope and creating the encryption scope at the same time a good practice? Are there any better practices?

Keshavulu Dasari 2,570 Reputation points Microsoft Vendor

2024-12-20T09:00:52.55+00:00
HI 小龙 - Huron 吴 ,
Greetings! Welcome to Microsoft Q&A Forum. Thanks for posting you query here!
Encryption scopes in Azure Storage are a bit different from using the storage account access key for blob operations. Encryption scopes allow you to manage encryption at the level of an individual blob or container, providing more granular control over data encryption

To create and manage encryption scopes, you typically need to use Azure Active Directory (AAD) credentials rather than the storage account access key. This is because encryption scopes can be tied to customer-managed keys stored in Azure Key Vault, which requires AAD authentication
You can create an encryption scope:

Navigate to your storage account in the Azure portal.

Under Security + networking, select Encryption.

Select the Encryption Scopes tab.

Click the Add button to add a new encryption scope.

Enter a name for the new scope and select the type of encryption key support (Microsoft-managed keys or Customer-managed keys).

If using Customer-managed keys, specify the key vault and key to use

For more information:
https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
小龙 - Huron 吴 0 Reputation points

2024-12-21T05:22:35.03+00:00

Thank you very much for your reply. What I need to do is to create a container with an encryption scope through this code. Since the encryption scope is not created in advance, it needs to be created by code when creating the container. Since operating the encryption scope requires AAD authentication, is there a way to access it through something like a token?

var blobServiceClient = new BlobServiceClient(connectionString); var containerClient = blobServiceClient.GetBlobContainerClient(blobContainerName); await containerClient.CreateIfNotExistsAsync(PublicAccessType.None, null, new BlobContainerEncryptionScopeOptions { PreventEncryptionScopeOverride = true, DefaultEncryptionScope = blobContainerName });
小龙 - Huron 吴 0 Reputation points

2024-12-21T05:37:20.97+00:00

Is this method of creating a container with an encryption scope and creating the encryption scope at the same time a good practice? Are there any better practices?
Keshavulu Dasari 2,570 Reputation points Microsoft Vendor

2024-12-23T02:32:22.8566667+00:00
HI 小龙 - Huron 吴 ,
To create a container with an encryption scope and manage the encryption scope programmatically, you can use Azure Active Directory authentication with a token.

Authenticate using Azure AD: Use the DefaultAzureCredential class from the Azure Identity library to obtain a token. This class handles various authentication methods, including managed identities, environment variables, and more.

Create the encryption scope: Use the Azure SDK to create the encryption scope before creating the container.

Create the container with the encryption scope: Specify the encryption scope when creating the container.
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal

For more information:
https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

https://stackoverflow.com/questions/76637971/create-azure-storage-account-using-azure-resourcemanager-storage

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
Keshavulu Dasari 2,570 Reputation points Microsoft Vendor

2024-12-24T06:32:53.5466667+00:00

HI 小龙 - Huron 吴 ,
Checking in to see if the response helped, if you have any questions, please let me know in the comments, I would be happy to help you.
Keshavulu Dasari 2,570 Reputation points Microsoft Vendor

2024-12-26T04:02:46.1666667+00:00

HI 小龙 - Huron 吴 ,
Checking in to see if the response helped, if you have any questions, please let me know in the comments, I would be happy to help you.
Keshavulu Dasari 2,570 Reputation points Microsoft Vendor

2024-12-27T03:14:47.1633333+00:00

HI 小龙 - Huron 吴 ,
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

1 answer

Amrinder Singh 5,555 Reputation points Microsoft Employee

2024-12-20T17:08:25.5533333+00:00

Hi 小龙 - Huron 吴 - Thanks for reaching out.

The link you have shared appears to be related to Azure AI Service and account management with that and not related to the storage account one.

I would recommend to review the below sample classes / methods which shall help in capitalizing further.:

https://learn.microsoft.com/en-us/dotnet/api/azure.resourcemanager.storage.models.storageaccountencryption?view=azure-dotnet

https://learn.microsoft.com/en-us/dotnet/api/azure.provisioning.storage.encryptionscope?view=azure-dotnet

Hope that helps!

If there are any queries. let me know and will be glad to assist.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members
Please sign in to rate this answer.
小龙 - Huron 吴 0 Reputation points

2024-12-21T05:22:47.8933333+00:00

Thank you very much for your reply. What I need to do is to create a container with an encryption scope through this code. Since the encryption scope is not created in advance, it needs to be created by code when creating the container. Since operating the encryption scope requires AAD authentication, is there a way to access it through something like a token?

var blobServiceClient = new BlobServiceClient(connectionString); var containerClient = blobServiceClient.GetBlobContainerClient(blobContainerName); await containerClient.CreateIfNotExistsAsync(PublicAccessType.None, null, new BlobContainerEncryptionScopeOptions { PreventEncryptionScopeOverride = true, DefaultEncryptionScope = blobContainerName });
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How can I obtain or create encryption scopes for an Azure storage account by using dotnet?

1 answer

Your answer