There is no shortage of ways to access and setup access to your data in Microsoft Azure. Understanding these various methods is key to providing efficient and secure access. One of the means of accessing Azure storage are the Azure Storage Access Keys. In this AZ-104 study guide, we will look at Azure Storage Access Keys, what they are and how they are used for configuring access to Azure storage resources.
What are Azure Storage Access Keys?
The Azure storage access keys are like passwords in that they authorize access to your Azure storage account. When you create a new Azure storage account, Azure generates (2) storage access keys. These are 512-bit access keys that can authorize full access to the storage account.
One account key is the primary access key, and the other is a secondary access key. Microsoft recommends these access keys are rotated much like you rotate passwords on sensitive accounts to help minimize the change they will become compromised.
You can choose to use the Azure Key Vault to manage your access keys which has the benefit of being able to automatically regenerate and rotate the access keys. However, you can also manually rotate your access keys.
Should you use storage access keys for general access?
No. These are full access keys that grant a user full access to the configuration and data of a storage account.
You should instead use Microsoft Entra ID based authorization and then use SAS tokens if you can’t use Microsoft Entra. While it may be convenient or easy to hard code access keys into scripts, code, or config files, don’t do that. This can lead to easy account compromise.
Use key expiration policies
What is a key expiration policy? it enables you to set a key rotation reminder for the account access keys. The policies aren’t a hard limit as they will remind you when the recommended interval has elapsed and the keys have not been rotated.
Viewing storage access keys in your storage account
The Azure portal allows managing various aspects of your Azure services, including storage account access keys.
Under the Security + networking section, select Access keys option.
You will see boxes for both your primary and secondary keys for the key and the connection string. Note how the keys and the connection string are hidden from view. You can click the Show button to show the connection string and keys to use them.
For those who prefer working with command-line tools, Azure CLI offers an efficient way to handle storage account keys. You can also use the Azure PowerShell module to manage your Azure storage accounts.
Managing and rotating your storage access keys
Proper management of Azure storage access keys includes rotating them. You can generate a new primary access key or secondary access key right from the access keys blade. You will see the Rotate key icon that you can click. This will pop up the dialog Regenerate access key, which you can confirm.
You should rotate access keys (primary and secondary key) every 90 days as a best practice from Microsoft. This helps to minimize the risk of them becoming compromised.
Using Access keys and connection strings in application code
Connection strings are used for applications to interact with Azure storage services. Using the connection strings together with the Azure storage access key provides storage account access. However, this is not recommended in general due to the nature of access granted by the Azure storage access keys.
It is better to use Entra IDs, then SAS tokens with a storage policy, and as a last resort, use shared key authorization only when necessary.
Wrapping up Azure Storage Access Keys
Understanding the purpose and use of the Azure storage access keys is important to securing and configuring access to your Azure storage account. The storage access keys act like a password, granting high-level access to the Azure storage account. They must be treated and protected with care. using Azure Vault is a great way to have an automated and secure way to manage the storage access keys and their rotation on a regular basis. Be sure to understand these concepts as you take the AZ-104 exam.
Read More:
Microsoft Azure Administrator: AZ-104: Configure Storage Access Policies – Part 24
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.