Manage storage account keys with Azure Key Vault and the Azure CLI (2024)

  • Article

Important

Key Vault Managed Storage Account Keys (legacy) is supported as-is with no more updates planned. Only Account SAS are supported with SAS definitions signed storage service version no later than 2018-03-28.

Important

Support for Managed Storage Account Keys in Azure CLI was removed in version 2.54, you must use Azure CLI version 2.53.1 or former for commands in this tutorial.

Important

We recommend using Azure Storage integration with Microsoft Entra ID, Microsoft's cloud-based identity and access management service. Microsoft Entra integration is available for Azure blobs, queues, and tables, and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).Microsoft Entra ID allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an Microsoft Entra managed identity when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use below solution only when Microsoft Entra authentication is not possible.

An Azure storage account uses credentials comprising an account name and a key. The key is auto-generated and serves as a password, rather than an as a cryptographic key. Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account.

You can use the Key Vault managed storage account key feature to list (sync) keys with an Azure storage account, and regenerate (rotate) the keys periodically. You can manage keys for both storage accounts and Classic storage accounts.

When you use the managed storage account key feature, consider the following points:

  • Key values are never returned in response to a caller.
  • Only Key Vault should manage your storage account keys. Don't manage the keys yourself and avoid interfering with Key Vault processes.
  • Only a single Key Vault object should manage storage account keys. Don't allow key management from multiple objects.
  • Regenerate keys by using Key Vault only. Don't manually regenerate your storage account keys.

Important

Regenerating key directly in storage account breaks managed storage account setup and can invalidate SAS tokens in use and cause an outage.

Service principal application ID

A Microsoft Entra tenant provides each registered application with a service principal. The service principal serves as the Application ID, which is used during authorization setup for access to other Azure resources via Azure role-base access control (Azure RBAC).

Key Vault is a Microsoft application that's pre-registered in all Microsoft Entra tenants. Key Vault is registered under the same Application ID in each Azure cloud.

TenantsCloudApplication ID
Microsoft Entra IDAzure Government7e7c393b-45d0-48b1-a35e-2905ddf8183c
Microsoft Entra IDAzure publiccfa8b339-82a2-471a-a3c9-0fc0be7a4093
OtherAnycfa8b339-82a2-471a-a3c9-0fc0be7a4093

Prerequisites

To complete this guide, you must first do the following steps:

  • Install the Azure CLI.
  • Create a key vault
  • Create an Azure storage account. The storage account name must use only lowercase letters and numbers. The length of the name must be between 3 and 24 characters.

Manage storage account keys

Connect to your Azure account

Authenticate your Azure CLI session using the az login commands.

az login

Give Key Vault access to your storage account

Use the Azure CLI az role assignment create command to give Key Vault access your storage account. Provide the command the following parameter values:

  • --role: Pass the "Storage Account Key Operator Service Role" Azure role. This role limits the access scope to your storage account. For a classic storage account, pass "Classic Storage Account Key Operator Service Role" instead.
  • --assignee: Pass the value "https://vault.azure.net", which is the url for Key Vault in the Azure public cloud. (For Azure Government cloud use '--assignee-object-id' instead, see Service principal application ID.)
  • --scope: Pass your storage account resource ID, which is in the form /subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>. Find your subscription ID, by using the Azure CLI az account list command. Find your storage account name and storage account resource group, by using the Azure CLI az storage account list command.
az role assignment create --role "Storage Account Key Operator Service Role" --assignee "https://vault.azure.net" --scope "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

Give your user account permission to managed storage accounts

Use the Azure CLI az keyvault-set-policy cmdlet to update the Key Vault access policy and grant storage account permissions to your user account.

# Give your user principal access to all storage account permissions, on your Key Vault instanceaz keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --storage-permissions get list delete set update regeneratekey getsas listsas deletesas setsas recover backup restore purge

Permissions for storage accounts aren't available on the storage account "Access policies" page in the Azure portal.

Create a Key Vault Managed storage account

Create a Key Vault managed storage account using the Azure CLI az keyvault storage command. Set a regeneration period of 30 days. When it's time to rotate, KeyVault regenerates the key that isn't active, and then sets the newly created key as active. Only one of the keys is used to issue SAS tokens at any one time, this is the active key. Provide the command the following parameter values:

  • --vault-name: Pass the name of your key vault. To find the name of your key vault, use the Azure CLI az keyvault list command.
  • -n: Pass the name of your storage account. To find the name of your storage account, use the Azure CLI az storage account list command.
  • --resource-id: Pass your storage account resource ID, which is in the form /subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>. Find your subscription ID, by using the Azure CLI az account list command. Find your storage account name and storage account resource group, by using the Azure CLI az storage account list command.
az keyvault storage add --vault-name <YourKeyVaultName> -n <YourStorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P30D --resource-id "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

You can also ask Key Vault to generate shared access signature tokens. A shared access signature provides delegated access to resources in your storage account. You can grant clients access to resources in your storage account without sharing your account keys. A shared access signature provides you with a secure way to share your storage resources without compromising your account keys.

The commands in this section complete the following actions:

  • Set an account shared access signature definition <YourSASDefinitionName>. The definition is set on a Key Vault managed storage account <YourStorageAccountName> in your key vault <YourKeyVaultName>.
  • Set a Key Vault managed storage shared access signature definition in the vault. The definition has the template URI of the shared access signature token that was created. The definition has the shared access signature type account and is valid for N days.
  • Verify that the shared access signature was saved in your key vault as a secret.

Key Vault uses SAS definition template to generate tokens for client applications.

SAS definition template example:

"sv=2018-03-28&ss=bfqt&srt=sco&sp=rw&spr=https"

SAS definition template will be the passed to the --template-uri parameter in the next step.

Account SAS parameters required in SAS definition template for Key Vault

SAS Query ParameterDescription
SignedVersion (sv)Required. Specifies the signed storage service version to use to authorize requests made with this account SAS. Must be set to version 2015-04-05 or later. Key Vault supports versions no later than 2018-03-28
SignedServices (ss)Required. Specifies the signed services accessible with the account SAS. Possible values include:

- Blob (b)
- Queue (q)
- Table (t)
- File (f)

You can combine values to provide access to more than one service. For example, ss=bf specifies access to the Blob and File endpoints.

SignedResourceTypes (srt)Required. Specifies the signed resource types that are accessible with the account SAS.

- Service (s): Access to service-level APIs (for example, Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)
- Container (c): Access to container-level APIs (for example, Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)
- Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(for example, Put Blob, Query Entity, Get Messages, Create File, etc.)

You can combine values to provide access to more than one resource type. For example, srt=sc specifies access to service and container resources.

SignedPermission (sp)Required. Specifies the signed permissions for the account SAS. Permissions are only valid if they match the specified signed resource type; otherwise they're ignored.

- Read (r): Valid for all signed resources types (Service, Container, and Object). Permits read permissions to the specified resource type.
- Write (w): Valid for all signed resources types (Service, Container, and Object). Permits write permissions to the specified resource type.
- Delete (d): Valid for Container and Object resource types, except for queue messages.
- Permanent Delete (y): Valid for Object resource type of Blob only.
- List (l): Valid for Service and Container resource types only.
- Add (a): Valid for the following Object resource types only: queue messages, table entities, and append blobs.
- Create (c): Valid for the following Object resource types only: blobs and files. Users can create new blobs or files, but may not overwrite existing blobs or files.
- Update (u): Valid for the following Object resource types only: queue messages and table entities.
- Process (p): Valid for the following Object resource type only: queue messages.
- Tag (t): Valid for the following Object resource type only: blobs. Permits blob tag operations.
- Filter (f): Valid for the following Object resource type only: blob. Permits filtering by blob tag.
- Set Immutability Policy (i): Valid for the following Object resource type only: blob. Permits set/delete immutability policy and legal hold on a blob.

SignedProtocol (spr)Optional. Specifies the protocol permitted for a request made with the account SAS. Possible values are both HTTPS and HTTP (https,http) or HTTPS only (https). The default value is https,http.

HTTP only isn't a permitted value.

For more information about account SAS, see:Create an account SAS

Note

Key Vault ignores lifetime parameters like 'Signed Expiry', 'Signed Start' and parameters introduced after 2018-03-28 version

Use the Azure CLI az keyvault storage sas-definition create command, passing the SAS definition template from the previous step to the --template-uri parameter, to create a shared access signature definition. You can provide the name of your choice to the -n parameter.

az keyvault storage sas-definition create --vault-name <YourKeyVaultName> --account-name <YourStorageAccountName> -n <YourSASDefinitionName> --validity-period P2D --sas-type account --template-uri <sasDefinitionTemplate>

You can verify that the shared access signature definition has been stored in your key vault using the Azure CLI az keyvault storage sas-definition show command.

You can now use the az keyvault storage sas-definition show command and the id property to view the content of that secret.

az keyvault storage sas-definition show --id https://<YourKeyVaultName>.vault.azure.net/storage/<YourStorageAccountName>/sas/<YourSASDefinitionName>

Next steps

  • Learn more about keys, secrets, and certificates.
  • Review articles on the Azure Key Vault team blog.
  • See the az keyvault storage reference documentation.
Manage storage account keys with Azure Key Vault and the Azure CLI (2024)

FAQs

How are access keys managed in Azure storage accounts? ›

If possible, use Azure Key Vault to manage your access keys. If you are not using Key Vault, you will need to rotate your keys manually. Two access keys are assigned so that you can rotate your keys. Having two keys ensures that your application maintains access to Azure Storage throughout the process.

Which CLI command creates an Azure Key Vault? ›

Use the az keyvault create command to create a key vault. This script has three mandatory parameters: a resource group name, a key vault name, and the geographic location.

Which CLI command regenerates a storage account access key? ›

Using Azure CLI

Call the az storage account keys renew command to regenerate the primary access key. Update the connection strings in your code to reference the new primary access key. Regenerate the secondary access key in the same manner. To regenerate the secondary key, use key2 as the key name instead of key1.

How to store keys in Azure Key Vault? ›

Add a secret to Key Vault
  1. Navigate to your key vault in the Azure portal:
  2. On the Key Vault left-hand sidebar, select Objects then select Secrets.
  3. Select + Generate/Import.
  4. On the Create a secret screen choose the following values: Upload options: Manual. Name: Type a name for the secret.

How do I control access to Azure key vault? ›

Managing administrative access to Key Vault

You can grant access at a specific scope level by assigning the appropriate Azure roles. To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope.

What is the storage account key in key vault? ›

The key is auto-generated and serves as a password, rather than an as a cryptographic key. Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account.

How do I access my Azure key vault key? ›

To access Azure Key Vault, you'll need an Azure subscription. If you don't already have a subscription, create a free account before you begin. All access to secrets takes place through Azure Key Vault. For this quickstart, create a key vault using the Azure portal, Azure CLI, or Azure PowerShell.

Which of the Azure CLI commands is used for granting access to the vault? ›

To gain permissions to your key vault through Role-Based Access Control (RBAC), assign a role to your "User Principal Name" (UPN) using the Azure CLI command az role assignment create. Replace <upn>, <subscription-id>, <resource-group-name> and <your-unique-keyvault-name> with your actual values.

Can Microsoft access keys in Azure key vault? ›

Azure Key Vault and Azure Key Vault Managed HSM are designed, deployed and operated such that Microsoft and its agents are precluded from accessing, using or extracting any data stored in the service, including cryptographic keys.

Where can I find the Azure storage account key? ›

Open https://portal.azure.com/ in your web browser and login with the credentials of a user who can access the storage account.
  • Click on Storage Accounts in the left-pane.
  • In the screen that appears, select the storage account for which you'd like to find the Account Name and Account Key.

How many access keys does a storage account have? ›

When you create a storage account, Azure generates two 512-bit storage account access keys for that account. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key.

Who is responsible for the security of your Azure storage account access keys? ›

Who is responsible for the security of your Azure Storage account access keys? Customers are responsible to secure the access keys they are given and regenerate them if they are exposed.

What is the secret name in Azure key Vault? ›

The type of the object, "keys", "secrets", or "certificates". An object-name is a user provided name for and must be unique within a key vault. The name must be a 1-127 character string, containing only 0-9, a-z, A-Z, and -.

What is the purpose of Azure key vault? ›

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed hardware security module(HSM) pools.

What is the difference between key and secret in Azure key vault? ›

A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A key is a cryptographic key represented as a JSON Web Key [JWK] object. Key Vault supports RSA and Elliptic Curve Keys only.

How is access managed in Azure? ›

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

How are keys stored in Azure? ›

√ Keys are stored in a vault and invoked by URI when needed. √ Keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules. √ Keys are processed in HSMs that reside in the same Azure datacenters as the applications.

Which Azure storage support customer managed keys? ›

You must use one of the following Azure key stores to store your customer-managed keys: Azure Key Vault. Azure Key Vault Managed Hardware Security Module (HSM)

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Trent Wehner

Last Updated:

Views: 6134

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.