Why does an Azure storage account have two access keys?

If you are using Windows Azure you might be familiar with the storage access keys. These storage access keys are used in authentication for accessing the storage account.

 When you create a storage account you are provided with two storage access keys i.e. Primary and Secondary access keys. You might be wondering, what is the purpose of providing a second access key. As far as my knowledge you can use the storage access keys for two scenarios discussed below.


For avoiding downtime

You might want to change the access keys on regular basis as per your corporate security policy. However when you change the access the keys, your cloud services using the storage account will no longer be able to access the storage account. This will lead to a downtime. The cloud services will be able to access the storage account only after you update the new storage access keys in your configuration file. Hence to avoid this, update the configuration file with the secondary access keys and only then regenerate the primary access key. Once the new primary access key is regenerated you can now use this key to update the configuration file once again.


For temporary sharing of access keys

You might on some occasion want to share your storage access keys with your colleagues instead of sharing the primary access key (which is used in your cloud services), share the secondary key. When you want to revoke the access from that individual, regenerate the secondary key. Once the secondary key is regenerated the old secondary key will no longer be valid.


If you are leveraging the secondary access keys for any other scenario and would like to share this information, please feel free to share under the comments section below.


If you don’t already have a Windows Azure account, you can sign-up for a free trial and start using Windows Azure today.