Can I disable access key of a storage which is used for archiving diagnostic logs?

Question

I have a storage account used for saving diagnostic logs for other resources.

Can I disable the access key for this storage account?

Answer 1

Hi, Welcome to MS Q&A

Disabling access keys for a storage account used for saving diagnostic logs for other Azure resources can be done, but it requires careful consideration to ensure uninterrupted logging and monitoring functionality. Here are some factors to consider:

Impact on Diagnostic Logging: Disabling access keys for the storage account will prevent any services or resources that rely on those keys from writing diagnostic logs to the storage account. Before disabling the keys, ensure that you have alternative methods for logging and monitoring in place, such as Azure Monitor diagnostic settings configured to use other authentication methods like Managed Identity or Azure AD authentication.

Azure metrics and logging in Azure Monitor do not distinguish between different types of shared access signatures. The SAS filter in Azure Metrics Explorer and the SAS field in Azure Storage logging in Azure Monitor both report requests that are authorized with any type of SAS. However, different types of shared access signatures are authorized differently, and behave differently when Shared Key access is disallowed:

When you are evaluating traffic to your storage account, keep in mind that metrics and logs as described in Detect the type of authorization used by client applications may include requests made with a user delegation SAS.

Please check below Images and link for more details

https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

Kindly accept answer if it helps, Thanks

Answer 2

Hello Xindi Li,

Thank you for posting your query here!

Yes, you can disable the access key for an Azure storage account, even if it’s used for archiving diagnostic logs. However, you need to ensure that the diagnostic settings are properly configured to send the logs to the appropriate destinations.

Please note that disabling an access key will break any applications or services that are currently using it. Therefore, it’s recommended to update these applications or services to use the other key before disabling the current one.

Please refer to the following articles for further details:
Prevent authorization with Shared Key - Azure Storage | Microsoft Learn

https://blog.hametbenoit.info/2021/02/01/azure-you-can-now-disable-storage-account-access-keys-preview/

First, how do I choose the authentication method? The portal only asks me to select a storage account, but not whether to use access key or managed identity.

If you want to access your storage account and your diagnostic logs from the Azure portal, you don't need to choose the authentication method, as the portal will use your Azure AD credentials to access your storage account.

When you sign in to the Azure portal, you provide your Azure AD credentials (username and password) or use another authentication method like multi-factor authentication (MFA) if enabled. Once authenticated, your permissions to access and manage Azure resources, including storage accounts and diagnostic logs, are determined by the role assignments assigned to your Azure AD account. These role assignments are managed through RBAC in Azure.

When you navigate to a storage account in the Azure portal, you can view various settings and manage resources within the storage account based on your permissions. If you have appropriate permissions (such as Storage Account Contributor or higher), you can view and manage diagnostic logs and other resources within the storage account.

To access diagnostic logs within a storage account, you navigate to the "Monitoring" or "Diagnostic settings" section of the storage account in the Azure portal. From there, you can configure diagnostic settings, view logs, and perform other monitoring-related tasks based on your permissions.

However, if you want to access your storage account and your diagnostic logs from other tools or applications, such as Azure PowerShell, Azure CLI, or Azure Storage Explorer, you will need to choose the authentication method that suits your needs. You can use Azure AD or SAS tokens to access your storage account and your diagnostic logs.

Second, what does the "EntityGroupTransaction" API mean in the storage account metrics? It seems to be the only API that uses AccountKey. Will disabling access key affect this API?

The “EntityGroupTransaction” API is related to performing batch transactions on entities that are in the same table and belong to the same partition group in Azure Table Storage. Multiple Insert Entity, Update Entity, Merge Entity, Delete Entity, Insert Or Replace Entity, and Insert Or Merge Entity operations are supported within a single transaction. If you disable the access key for the storage account, Azure Storage will reject all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. Therefore, if the “EntityGroupTransaction” API is using the AccountKey for authorization, disabling the access key would affect this API.

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.