Azure Key Vault Storage Account Keys
Azure storage now supports AAD authorization. We recommend using Azure Active Directory for authentication and authorization to Storage as users wouldn't have to worry about rotating their Storage Account keys.
- Azure Key Vault manages keys of an Azure Storage Account (ASA).
- Internally, Azure Key Vault can list (sync) keys with an Azure Storage Account.
- Azure Key Vault regenerates (rotates) the keys periodically.
- Key values are never returned in response to caller.
- Azure Key Vault manages keys of both Storage Accounts and Classic Storage Accounts.
- Azure CLI Install Azure CLI
- Create a Storage Account
- Please follow the steps in this document to create a storage account
- Naming guidance: Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
Step by step instructions
- Get the resource ID of the Azure Storage Account you want to manage.
a. After creating a storage account run the following command to get the resource ID of the storage account you want to manage
az storage account show -n storageaccountname (Copy ID out of the result of this command)
- Get Application ID of Azure Key Vault's service principal
az ad sp show --id cfa8b339-82a2-471a-a3c9-0fc0be7a4093
- Assign Storage Key Operator role to Azure Key Vault Identity
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id hhjkh --scope idofthestorageaccount
Create a Key Vault Managed Storage Account.
Below command asks Key Vault to regenerate your storage's access keys periodically, with a regeneration period. Below, we are setting a regeneration period of 90 days. After 90 days, Key Vault will regenerate 'key1' and swap the active key from 'key2' to 'key1'.
az keyvault storage add --vault-name <YourVaultName> -n <StorageAccountName> --active-key-name key2 --auto-generate-key --regeneration-period P90D --resource-id <Resource-id-of-storage-account>
In case the user didn't create the storage account and does not have permissions to the storage account, the steps below set the permissions for your account to ensure that you can manage all the storage permissions in the Key Vault. [!NOTE] In the case that the user does not permissions to the storage account We first get the object id of the user
az ad user show --upn-or-object-id "firstname.lastname@example.org" az keyvault set-policy --name <YourVaultName> --object-id <ObjectId> --storage-permissions backup delete list regeneratekey recover purge restore set setsas update
Relevant Powershell cmdlets