Learn to Manage storage account access keys
This tutorial will help you learn Learn to Manage storage account access keys in the Azure portal. Azure produces two 512-bit storage account access keys when you create a storage account. Shared Key authorization may be used to approve access to data in your storage account using these keys.
Learn to Protect your access keys
- Your storage account access keys are comparable to your storage account’s root password.
- Keep your access keys safe at all times.
- Securely manage and rotate your keys using Azure Key Vault.
- Access keys should not be distributed to other users, hard-coded, or saved in plain text that is visible to others.
- If you suspect your keys have been hacked, rotate them.
Learn to View account access keys
Your account access keys may be seen and copied using the Azure portal, PowerShell, or the Azure CLI. You may also copy the connection string for your storage account from the Azure site. In the tutorial, you will get information about Azure Portal.
From the Azure site, see and copy your storage account access keys or connection string:
- Firstly, Navigate to your storage account in the Azure portal.
- Then, Under Settings, select Access keys. Your account access keys, as well as the whole connection string for each key, are displayed.
- Additionally, locate the Key value beneath key1 and copy the account key by clicking the Copy button.
- Alternately, you can copy the entire connection string. Find the Connection string value under key1, and click the Copy button to copy the connection string.
- You can use Azure Storage with any of the two keys, but it’s often a good idea to utilise the first key and save the second key for when you’re rotating keys.
- Lastly, To view or read an account’s access keys, the user must either be a Service Administrator, or must be assigned an RBAC role that includes the Microsoft.Storage/storageAccounts/listkeys/action.
- The Owner, Contributor, and Storage Account Key Operator Service Role roles are some of the Azure built-in roles that include this activity.
Use Azure Key Vault to manage your access keys
To maintain and rotate your access keys, Microsoft recommends using Azure Key Vault. Your application may use Key Vault to securely access your keys, allowing you to avoid storing them in your application code. See the following articles for further information on utilizing Key Vault for key management:
- Firstly, Manage storage account keys with Azure Key Vault and PowerShell
- Also, Manage storage account keys with Azure Key Vault and the Azure CLI
Manually rotate access keys
To keep your storage account safe, Microsoft suggests rotating your access keys on a regular basis. Use Azure Key Vault to manage your access keys if at all feasible. If you don’t have Key Vault installed, you’ll have to rotate your keys manually. You are given two access keys so that you may rotate your keys. Having two keys guarantees that your application may access Azure Storage at any time during the process.
In the Azure interface, rotate your storage account access keys as follows:
- Firstly, Update the connection strings in your application code to reference the secondary access key for the storage account.
- Secondly, Navigate to your storage account in the Azure portal.
- Thirdly, Under Settings, select Access keys.
- Subsequently, To regenerate the primary access key for your storage account, select the Regenerate button next to the primary access key.
- Furthermore, Update the connection strings in your code to reference the new primary access key.
- Finally you can Regenerate the secondary access key in the same manner.
Reference documentation and image source – Manage storage account access keys