Azure Storage Explorer#

Ingress via ASE can be done by either the Project Team’s chosen DPR or the Trusted Research Environments Service Area (TRESA) if they have access to the data. Either way, it will be useful for TRESA members to download ASE and sign in with their Azure account.

If the TRESA already have access to the data, skip to Perform data ingress (TRESA). Otherwise do the following:

  1. Go to the Data Safe Haven System Manager instructions for ingress (make sure you are reading the version of the docs appropriate to the deployed SRE) and follow the guide on how to generate a SAS URL

  2. Send the SAS URL via the secure email service to the Project Team’s chosen DPR (see the signed TRE Data Ingress Process Form) as per the Data Safe Haven System Manager instructions, but also include a link to the below Perform data ingress as Data Provider Representative (DPR) instructions to upload the data via Azure Storage Explorer for the DPR to follow

  3. You can check that ingress was successful by viewing the contents of the ingress container in ASE (or in the Azure Portal)

Perform data ingress as Data Provider Representative (DPR)#

The Safe Haven is built on the Microsoft Azure platform. The most convenient way of safely transferring data as a DPR is to use Azure Storage Explorer.

You will not need log-in credentials, as the Trusted Research Environments Service Area (TRESA) will provide a short-lived secure access token which will let you upload data.

Prerequisites#

Important

  • You must be able to receive a secure email. We recommend the Egress secure email service, which is free to setup for receiving secure emails.

  • You must know the public IP address(es) that are used by the people in your organisation who will be uploading the data. Talk to your IT team if you’re not sure what these are.

The Trusted Research Environments Service Area (TRESA) representative will have requested your IP address(es) as the Data Provider Representative (designated data uploader) and once you have provided this they will respond by sending a secure email back to you. This will contain the secure access token, which has write and list privileges, allowing the uploader to:

  • upload files

  • verify that files are fully uploaded

  • remove or overwrite outdated files

Attention

The secure access token does not permit files to be downloaded. This provides additional protection in case the token is accidentally leaked. In the event that the token is leaked, inform your Trusted Research Environments Service Area (TRESA) who can revoke it.

Danger

Whilst the connection between your computers and our repository is one way – you can only send data, not retrieve it – if a malicious actor were to get hold of the link, they could poison your data.

Uploading your data#

  1. Open Azure Storage Explorer

  2. Click the socket image on the left hand side

  3. On Select Resource, choose Blob container

    Azure Storage Explorer connection step 3

  4. On Select Connection Method, choose Shared access signature URL (SAS) and hit Next

    Azure Storage Explorer connection step 4

  5. On Enter Connection Info:

    Azure Storage Explorer connection step 5

  6. On the Summary page:

    • Ensure the permissions include Write & List (if not, you will be unable to upload data and should contact the administrator who sent you the token)

    • Hit Connect

  7. On the left hand side, the connection should show up under Local & Attached > Storage Accounts > (Attached Containers) > Blob Containers->ingress (SAS)

    Azure Storage Explorer connection step 7

  8. You should now be able to upload data to the Safe Haven by clicking the Upload button, completing the ingress process

  9. Alert the Trusted Research Environments Service Area (TRESA) team if ingress was successful by emailing trustedresearch@turing.ac.uk, or ask for help if something went wrong

Note

Since you were not given read permissions, it’s expected that you will receive the following warning when uploading a file. Click Yes.

Azure Storage Explorer warning

Perform data ingress (TRESA)#

In some cases (for example a Tier 0/1 SRE), the data provider or Project Team may send the data directly to Trusted Research Environments Service Area (TRESA) to peform the upload, in which case this can be done as follows:

  1. Open Azure Storage Explorer

  2. Click the person icon in the top left, then “Add an account…”

    Azure Storage Explorer deployment team connection step 1

  3. Connect to a Subscription and click through (select “Azure”)

    Azure Storage Explorer deployment team connection step 2

  4. A browser page will be launched and you will be asked to choose your account. Choose the account that has access to the [Prod] Safe Haven Management V4 subscription (or the most recent SHM subscription at the Turing)

    Azure Storage Explorer deployment team connection step 3

  5. After you are connected to the account. Click the list icon (above the person icon) in the top left. You will be shown a list of Subscriptions you have access to, which should include the Prod SHM subscription. Click the dropdown for this subscription

    Azure Storage Explorer deployment team connection step 4

  6. Click the “Storage Accounts” dropdown, which should reveal the storage for all the SREs in the SHM. For the SRE you wish to carry out ingress, click the dropdown for <shm id><sre id>data<hash string> which should reveal the Blob Containers, including ingress. Click ingress

    Azure Storage Explorer deployment team connection step 5

  7. Opening the ingress container will reveal the existing contents, and allow you to add new data with the Upload button

    Azure Storage Explorer deployment team connection step 6