SIGN UPLOGIN
ConceptsTutorialsPlatformsAPI referenceExtensibilityWebhooksInfrastructureExperiencesComposeTools and Plugins
Documentation / Tutorials / General / Audit Logs Azure Configuration

Was this page helpful?

Audit Logs Azure Configuration

As part of enabling audit log shipping to your Azure Blob Storage container, you need to create a Shared Access Signature (SAS) user that Contentful can use. This will allow Contentful to securely transfer audit logs directly to your Azure Storage Account container. This guide will help you create a Shared Access Signature (SAS) user specifically for Contentful.

A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example:

  • What resources the client may access

  • What permissions they have to those resources

  • How long the SAS is valid

We will use RSA 4096 encryption to secure your SAS Token in-transit and at rest. Access to decrypt is provided only to the Audit Logging system and a small number of people who manage the Audit Logging service. For more information please contact us via support.

Table of contents

Prerequisites

  1. An Azure account with access to create a Blob Store and a SAS Token

  2. Access to a linux/bsd command line

  3. OpenSSL (v3.2.0 or above recommended) with the pkeyutl module

    a. Try openssl version to validate the version number

    b. Try openssl pkeyutl to validate the pkeyutl module

  4. The Contentful public key used for encryption (see below)

Step 1: Create an Azure Storage Account

  1. Log in to your Azure Portal

  2. Navigate to Storage Accounts -> Create

  3. Select the Subscription under which to create the Storage Account

  4. Select or Create the Resource Group for the Storage Account

  5. Enter a unique storage account name and select the region where you want the account to reside. Note this name, you will need it later

  6. Configure options as required (e.g., performance, redundancy, etc)

  7. Click Review + create

  8. On the Review + create page check that everything correct and if you’re satisfied click Create to create the storage account

Step 2: Create a Container

  1. Log in to your Azure Portal

  2. Navigate to Storage Accounts and click the one you created in Step 1 to open it

  3. On the left sidebar, under Data storage, click Containers

  4. In the top toolbar click the + Container button to create a new container

  5. Enter a unique container name

Note this name, you will need it later

  1. Configure options as required (e.g., encryption scope, versioning, etc)

  2. Review and click Create to create the container

Step 3: Create the SAS Token

  1. Log in to your Azure Portal

  2. Navigate to Storage Accounts and click the one you created in Step 1 to open it

  3. On the left sidebar, under Data storage, click Containers

  4. Click the name of the container you create in the steps above

  5. On the left sidebar, under Settings, click Shared access tokens

  6. Select the Permissions dropdown, deselect Read, then select Create and Write

  7. Set an expiry date that complies with your secret rotation policy

  8. Click Generate SAS token and URL

  9. Copy the value of the Blob SAS URL field that's displayed. You will use this URL in the next steps

Step 4: Encrypt the SAS Token

Option 1: Use the Command Line and OpenSSL to encrypt your SAS Token

Public Keys

Public key for EU data residency:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu4E2RnFXoFdUl4WrbSzf
ZOsxk6S1Ir4ntGG4qiefhlWMJ+Ix7VDXm9jo3p7xvm//3I2BjZLZKe5hPwGGbuDk
kFwX3pVUY4TW3OV/fBP6qZmkOT2o1BI/FJH88tZdq5400pf37GaPBDfkZ10KRAn8
Y1kUS6fU7XT9Aa7BOyUTVLNOoo/A9QN9dfslPzL9ypZy8gZoboRJxKEAeHjGcysE
uqw2yhG3zJ+hnGnG4SP53Ltx0t4Byi/+TdG1d0CT6NF9nV9PeD8RvHDcJbVuNQu1
Q5hp72UhdGvKQrpm1AXTbQXaJydWmdardp2RrHyfHXGAU8ItRX+DscQbI32lk0sD
xeCFGWFRvIEl+NdGWUbq81ayaxou7LHord7xDzSwlZlxuFwazkvzwslqXNnroNTo
B5XldsYq3jftN+t0+Uran39JtTZUOFkRhtY74uIKtV/NJgD53CYkPpIwCDupXUCp
CXa+tshYgCi2qPul2ShqDs2r2f+uwAQfbndwzlCAnADPL+Gg+M7sZrEOYsLGWAB9
b6S9/gYVLE9vs3b3FTWMLLScfHD7jN/za19r1W22soK/tmq4KBrQLZ3S6l+4AeWy
HvQIxbJgGYkA6V/bDVOy3AeK1BgeKWkeAhi3UNAcQrjqBUkviwyIlMoV0kISFAFi
f848xOTgJVC1IbNBTmW9H3cCAwEAAQ==
-----END PUBLIC KEY-----

Public key for US/global data residency (most customers):

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsfMbvs0JwvAFKiyM6HPp
xxti7sLAxENAGykPkfr7Y5BomohXtgoApwXebfiFB1492s7dQuOiaU5wNVW8xjjG
cIxYBUVaa1+CSSy3by6LoWcoqbqsVk4ec1D//SMwkxo77HZwwIII1DiIQbcTOC8/
tEv2YeGxtEI9A9C8SqTSjqz6dd9AY0rpKI3038RvrblLyj8hUj86zuTRB2wMgj9Q
EQb0mzEIuPeDznHR/LRpqkWx12q0w5NzPygezThmLXq4OdJKM+qHPEThFATWrZZi
ZP1z+A6QsBMOianJ1ltE8V6D3+o8y/2BqkmMlhwZxSKyYLGVGpwSWKbLBLod78G9
BLQcf9FxjzNFrd+WUNrwLnENX5OV6beJzpJPk79j9smMHgldf0Iy6aVRVQKlQMat
rBkwaqQN0kNafpwHpMwj7GFvt+yEDbq0lh5f18j28tq2heaRnbR6Sjb/pqn0tuoA
EgUI85D/BkYkBCEVB9I5vNtJovJP9B2mj93ZVaqBCijCQ2Rkmu8igSD/zEKnlEJQ
F2fl+LCgdOuZJpO7FNuWNUrgX38M/t7ZWgtXjZUc+ct6+Zs1zjYh5D8MvuldG6Gw
TBfpiEVXMsluM4avp+17rqBtkgGMLGdXPaIfR3WC0IaakMzUsWlEd8/3/JR8dol3
40qKGlC3ALrjjxqHRGfGCu8CAwEAAQ==
-----END PUBLIC KEY-----

Steps

  1. Using the command line, create a directory to save any artefacts used during this process

  2. cd into the working directory

  3. Save the required public key (from above) into a file in the directory called contentful-audit-public-key.pem

  4. Create a new file called sas-token.plain in the directory

  5. Amend the sas-token.plain file to contain your SAS Token, being careful to remove any leading or trailing white space, including line feed characters

  6. You should now have a directory containing:

contentful-audit-public-key.pem
sas-token.plain
  1. Encrypt the SAS Token using OpenSSL
openssl pkeyutl -encrypt \
  -in sas-token.plain \
  -out sas-token.enc \
  -pubin -keyform PEM \
  -inkey contentful-audit-public-key.pem \
  -pkeyopt rsa_padding_mode:oaep \
  -pkeyopt rsa_oaep_md:sha256
  1. Encode the SAS Token using Base64 so that it can be easily submitted to Contentful
cat sas-token.enc | base64 > sas-token.enc.b64
  1. Display the content of sas-token.enc.b64 to share with Contentful
cat sas-token.enc.b64
The base64 encoded SAS Token can be safely submitted in clear text to Contentful. It can only be decrypted to the original SAS Token once we have it, using our secure private key.

Option 2: Use this page to encrypt your SAS Token

All enryption takes place on this page. Your SAS Token will not be stored or sent to us.

SAS Token:

Data Residency Region:

SAS Token Cipher:

Click the Encrypt button above to generate your cipher
Pass this text to Contentful in the SAS Token field of the Audit Logging Beta sign-up form

All topics

Learn more at Contentful.com

Concepts

Tutorials

Platforms

API reference

Extensibility

Webhooks

Infrastructure

Experiences

Compose

Tools and Plugins

Learn more

SupportGet started

Web app

Advanced

More

Fetching status