Once you have completed this guide, your external storage account will be configured with all the necessary permissions and CORS settings enabled. This ensures that all RMS Console operations, including uploads and job creation, work properly.
The preferred RMS configuration is to use a storage account outside of the managed resource group because this ensures that Ravnur does not have access to your content. You should create the storage account in the same region as your managed resource group to eliminate data transfer charges across regions.
After you have created the storage account, you'll need to grant the RMS managed identity appropriate permissions to access your storage. The managed identity is the bridge between RMS and your storage account.
❌ If you have more than one RMS account, do not set the default storage account as Primary for the other accounts.
The default storage account is created for the default RMS account during deployment. All other RMS accounts should use storage accounts outside the managed resource group.
✅ Instead, create and use an external storage account in your own Azure resource group.
Follow the steps below to set this up correctly.
In this article:
Step 1: Create a Storage Account in your Resource Group
Step 2: Find the RMS Managed Identity
Step 3: Grant RMS Permission to Access the Storage
Step 4: Add storage to RMS Console
Step 5: Set as Primary Storage
Step 1: Create a Storage Account in your Resource Group
- Go to Azure Portal > Storage accounts.
- Click + Create.
- Select your subscription and resource group (NOT the RMS managed resource group). Make sure that the storage account is created in the same region as the managed resource group to avoid data transfer charges.
- Enter a storage account name (e.g.,
storage2). - Complete the setup and create the account.
Step 2: Find the RMS Managed Identity
- Go to the RMS managed resource group in Azure Portal.
- Find the resource named
id-rms-<unique-suffix>(type: Managed Identity). - Copy its name for the next step.
Step 3: Grant RMS permission to access the storage
- Navigate to your target storage account in Azure Portal.
- Go to Access Control (IAM).
-
Add a role assignment:
- Role: Storage Blob Data Contributor.
- Assign access to: Managed Identity.
Click Select members.
Select your subscription and User-assigned managed identity option for Managed identity.
Select the RMS Managed Identity you copied earlier.
- Click Review + assign.
Step 4: Add Storage to RMS Console
- Log into RMS Console.
- Select Account settings for the corresponding account.
- Add a new storage account record and confirm you assigned a Storage Blob Data Contributor role earlier.
- Enter the exact name of your storage account (from Step 1). Example:
storage2 - Click Add new storage account.
Step 5: Set as Primary Storage
Click Set Primary to mark your new storage as primary.
It may take up to 10 minutes to propagate the change of the primary storage account throughout the system.
Step 6: How to configure CORS for external storage accounts
To enable all RMS Console operations on your storage account, you must configure Cross-Origin Resource Sharing (CORS) rules. Without proper CORS configuration, uploads, job creation, and storage operations will fail.
Go to your storage account in Azure Portal.
In the left-side menu, select Settings > Resource sharing (CORS).
-
Create a new CORS rule with the following settings:
Allowed origins: Enter
https://apps.ravnur.comor*.Allowed methods: Select all options (or at minimum: GET, POST, PUT, OPTIONS).
Allowed headers: Enter
*.Exposed headers: Enter
*.Max age: Set to
3600seconds.
Click Save to apply the CORS rule.
-
Clear your browser cache (press Ctrl + F5 or Cmd + Shift + R) to ensure changes take effect.
It may take 1 to 5 minutes for CORS rule changes to propagate across Azure's edge locations.
Testing: Upload a video or perform another action in the RMS Console and verify no CORS errors appear in your browser's Developer Tools > Network tab.