Managing your Storage Account Access Keys
Azure produces two 512-bit storage account access keys when you create a storage account. Shared Key authorization can be used to authorize access to data in your storage account using these keys.
Access keys are used to authenticate and authorize access to Azure Storage accounts. They are a pair of keys, including a primary and secondary key, which are generated when a storage account is created. These keys provide complete access to a storage account and should be treated with the same level of security as a password.
Here are some steps for managing your storage account access keys:
- Sign in to the Azure portal and go to your storage account.
- In the left-hand menu, select “Access keys” under the “Settings” section.
- You will see two keys, a primary and a secondary key. These keys can be regenerated at any time.
- If you need to change your access key, click the “Regenerate key” button for the key you want to regenerate.
- Select the key type and whether to regenerate the primary or secondary key.
- After the regeneration process is complete, copy the new key and update any applications or scripts that use the old key.
- It’s a good practice to rotate access keys regularly, such as every 90 days or so, to ensure that your storage account remains secure.
- Additionally, you can restrict access to your storage account by creating Shared Access Signatures (SAS). SAS provides granular access to specific resources in your storage account without exposing the account access keys. SAS can be created for blobs, queues, files, and tables.
Steps to Protect your Storage Account Access Keys
Your storage account access keys are comparable to your storage account’s root password. Keep your access keys safe at all times. Securely manage and rotate your keys with Azure Key Vault. Access keys should not be distributed to other users, hard-coded, or saved in plain text that is accessible to others. If you suspect your keys have been hacked, rotate them. Instead of utilising Shared Key, Microsoft suggests using Azure Active Directory (Azure AD) to authorise requests against blob and queue data. Over Shared Key, Azure AD provides improved security and ease of use.
Steps View account Access Keys
- You can view and copy your account access keys with the Azure portal, PowerShell, or Azure CLI. The Azure portal also provides a connection string for your storage account that you can copy.
- You can use either of the two keys to access Azure Storage, but in general it’s a good practice to use the first key, and reserve the use of the second key for when you are rotating keys.
- To view or read an account’s access keys, the user must either be a Service Administrator, or must be assigned an RBAC role that includes the Microsoft.Storage/storageAccounts/listkeys/action. Some built-in RBAC roles that include this action are the Owner, Contributor, and Storage Account Key Operator Service Role roles.
Using Portal
- Navigate to your storage account in the Azure portal.
- Under Settings, select Access keys. Your account access keys appear, as well as the complete connection string for each key.
- Locate the Key value under key1, and click the Copy button to copy the account key.
- Alternately, you can copy the entire connection string. Find the Connection string value under key1, and click the Copy button to copy the connection string.
Using PowerShell
To retrieve your account access keys with PowerShell, call the Get-AzStorageAccountKey command.
The following example retrieves the first key. To retrieve the second key, use Value[1] instead of Value[0]. Remember to replace the placeholder values in brackets with your own values.
$storageAccountKey = (Get-AzStorageAccountKey
-ResourceGroupName `
-Name ).Value[0]
Using Azure CLI
Call the az storage account keys list command using Azure CLI to see a list of your account access keys, as demonstrated in the example below. Remember to substitute your own values for the placeholder ones in brackets.
az storage account keys list \
–resource-group \
–account-name
Manually Rotate Access Keys
To keep your storage account secure, Microsoft suggests rotating your access keys on a regular basis. Use Azure Key Vault to manage your access keys if at all possible. If you don’t have Key Vault installed, you’ll have to rotate your keys manually. You are given two access keys so that you can rotate your keys. Having two keys ensures that your application can access Azure Storage at any time during the process.
Using Portal
To rotate your access keys in the Azure portal:
- Update the connection strings in your application code to reference the secondary access key for the storage account.
- Navigate to your storage account in the Azure portal.
- Under Settings, select Access keys.
- To regenerate the primary access key for your storage account, select the Regenerate button next to the primary access key.
- Update the connection strings in your code to reference the new primary access key.
- Regenerate the secondary access key in the same manner.
Using PowerShell
To rotate your access keys with PowerShell:
- Update the connection strings in your application code to reference the secondary access key for the storage account.
- Call the New-AzStorageAccountKey command to regenerate the primary access key
- Update the connection strings in your code to reference the new primary access key.
- Regenerate the secondary access key in the same manner. To regenerate the secondary key, use key2 as the key name instead of key1.
Using Azure CLI
To rotate your storage account access keys with Azure CLI:
- Update the connection strings in your application code to reference the secondary access key for the storage account.
- Call the az storage account keys renew command to regenerate the primary access key
- Update the connection strings in your code to reference the new primary access key.
- Regenerate the secondary access key in the same manner. To regenerate the secondary key, use key2 as the key name instead of key1.
The user must either be a Service Administrator or be assigned an RBAC role that contains the Microsoft.Storage/storageAccounts/regeneratekey/action to rotate an account’s access keys. The Owner, Contributor, and Storage Account Key Operator Service Role roles are some of the built-in RBAC roles that include this action.
Az-104 Exam Practice Questions
Question: Which of the following best describes access keys for Azure Storage accounts?
A) A password used to access Azure services.
B) A pair of keys that provide complete access to a storage account.
C) A way to restrict access to specific resources in a storage account.
D) A type of authentication token used for Azure Active Directory.
Answer: b) A pair of keys that provide complete access to a storage account.
Explanation: Access keys are a pair of keys that provide complete access to a storage account. These keys are generated when a storage account is created and are used to authenticate and authorize access to the account.
Question: What is the recommended frequency for rotating access keys for a storage account?
A) Every year
B) Every 90 days
C) Every 6 months
D) Every time a new user is added
Answer: b) Every 90 days
Explanation: It is recommended to rotate access keys for a storage account regularly, such as every 90 days, to ensure that the account remains secure.
Question: Which of the following is a way to limit access to specific resources in a storage account without exposing access keys?
A) Virtual networks
B) Shared Access Signatures (SAS)
C) Role-based access control (RBAC)
D) Azure Active Directory (AAD)
Answer: b) Shared Access Signatures (SAS)
Explanation: Shared Access Signatures (SAS) provide granular access to specific resources in a storage account without exposing the account access keys. SAS can be created for blobs, queues, files, and tables.
Question: How can you regenerate an access key for a storage account?
A) Click on the “Regenerate key” button for the key you want to regenerate.
B) Delete the storage account and create a new one.
C) Call Microsoft Azure support to regenerate the key.
D) Disable the key and create a new one.
Answer: a) Click on the “Regenerate key” button for the key you want to regenerate.
Explanation: To regenerate an access key for a storage account, you need to click on the “Regenerate key” button for the key you want to regenerate. Then, select the key type and whether to regenerate the primary or secondary key. After the regeneration process is complete, copy the new key and update any applications or scripts that use the old key.
Reference: Microsoft Documentation