Azure Key Vault managed storage account - CLI

Note

Azure storage integration with Azure Active Directory (Azure AD) is now in preview. We recommend using Azure AD for authentication and authorization, which provides OAuth2 token-based access to Azure storage, just like Azure Key Vault. This allows you to:

  • Authenticate your client application using an application or user identity, instead of storage account credentials.
  • Use an Azure AD managed identity when running on Azure. Managed identities remove the need for client authentication all together, and storing credentials in or with your application.
  • Use Role Based Access Control (RBAC) for managing authorization, which is also supported by Key Vault.
  • Azure Key Vault manages keys of an Azure Storage Account (ASA).
    • Internally, Azure Key Vault can list (sync) keys with an Azure Storage Account.
    • Azure Key Vault regenerates (rotates) the keys periodically.
    • Key values are never returned in response to caller.
    • Azure Key Vault manages keys of both Storage Accounts and Classic Storage Accounts.

Important

An Azure AD tenant provides each registered application with a service principal, which serves as the application's identity. The service principal's Application ID is used when giving it authorization to access other Azure resources, through role-based access control (RBAC). Because Key Vault is a Microsoft application, it's pre-registered in all Azure AD tenants under the same Application ID, within each Azure cloud:

  • Azure AD tenants in Azure government cloud use Application ID 7e7c393b-45d0-48b1-a35e-2905ddf8183c.
  • Azure AD tenants in Azure public cloud and all others use Application ID cfa8b339-82a2-471a-a3c9-0fc0be7a4093.

Prerequisites

  1. Azure CLI Install Azure CLI
  2. Create a Storage Account
    • Follow the steps in this document to create a storage account
    • Naming guidance: Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.

Step by step instructions on how to use Key Vault to manage Storage Account Keys

Conceptually the list of steps that are followed are

  • We first get a (pre-existing) storage account
  • We then fetch a (pre-existing) key vault
  • We then add a KeyVault-managed storage account to the vault, setting Key1 as the active key, and with a regeneration period of 180 days
  • Lastly we set a storage context for the specified storage account, with Key1

In the below instructions, we are assigning Key Vault as a service to have operator permissions on your storage account

Note

Please note that once you've set up Azure Key Vault managed storage account keys they should NO longer be changed except via Key Vault. Managed Storage account keys means that Key Vault would manage rotating the storage account key

  1. After creating a storage account run the following command to get the resource ID of the storage account, you want to manage

    az storage account show -n storageaccountname 
    

    Copy ID field out of the result of the above command

  2. Get Object ID of Azure Key Vault service principal by running the below command

    az ad sp show --id cfa8b339-82a2-471a-a3c9-0fc0be7a4093
    

    Upon successful completion of this command find the Object ID in the result:

        {
            ...
            "objectId": "93c27d83-f79b-4cb2-8dd4-4aa716542e74"
            ...
        }
    
  3. Assign the Storage Key Operator role to the Azure Key Vault Identity.

    az role assignment create --role "Storage Account Key Operator Service Role"  --assignee-object-id <ObjectIdOfKeyVault> --scope <IdOfStorageAccount>
    
  4. Create a Key Vault Managed Storage Account.

    Below, we are setting a regeneration period of 90 days. After 90 days, Key Vault will regenerate 'key1' and swap the active key from 'key2' to 'key1'. It will mark Key1 as the active key now.

    az keyvault storage add --vault-name <YourVaultName> -n <StorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id <Id-of-storage-account>
    

    In case the user didn't create the storage account and does not have permissions to the storage account, the steps below set the permissions for your account to ensure that you can manage all the storage permissions in the Key Vault.

Step by step instructions on how to use Key Vault to create and generate SAS tokens

You can also ask Key Vault to generate SAS (Shared Access Signature) tokens. A shared access signature provides delegated access to resources in your storage account. With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. This is the key point of using shared access signatures in your applications--a SAS is a secure way to share your storage resources without compromising your account keys.

Once you've completed the steps listed above you can run the following commands to ask Key Vault to generate SAS tokens for you.

The list of things that would be accomplished in the below steps are

  • Sets an account SAS definition named '' on a KeyVault-managed storage account '' in your vault ''.
  • Creates an account SAS token for services Blob, File, Table and Queue, for resource types Service, Container and Object, with all permissions, over https and with the specified start and end dates
  • Sets a KeyVault-managed storage SAS definition in the vault, with the template uri as the SAS token created above, of SAS type 'account' and valid for N days
  • Retrieves the actual access token from the KeyVault secret corresponding to the SAS definition
  1. In this step we will create a SAS Definition. Once this SAS Definition is created, you can ask Key Vault to generate more SAS tokens for you. This operation requires the storage/setsas permission.
$sastoken = az storage account generate-sas --expiry 2020-01-01 --permissions rw --resource-types sco --services bfqt --https-only --account-name storageacct --account-key 00000000

You can see more help about the operation above here

When this operation runs successfully, you should see output similar to as shown below. Copy that

   "se=2020-01-01&sp=***"
  1. In this step we will use the output ($sasToken) generated above to create a SAS Definition. For more documentation read here
az keyvault storage sas-definition create --vault-name <YourVaultName> --account-name <YourStorageAccountName> -n <NameOfSasDefinitionYouWantToGive> --validity-period P2D --sas-type account --template-uri $sastoken

Note

In the case that the user does not have permissions to the storage account, we first get the Object-Id of the user

```
az ad user show --upn-or-object-id "developer@contoso.com"

az keyvault set-policy --name <YourVaultName> --object-id <ObjectId> --storage-permissions backup delete list regeneratekey recover     purge restore set setsas update

```

Fetch SAS tokens in code

In this section we will discuss how you can do operations on your storage account by fetching SAS tokens from Key Vault

In the below section, we demonstrate how to fetch SAS tokens once a SAS definition is created as shown above.

Note

There are 3 ways to authenticate to Key Vault as you can read in the basic concepts

  • Using Managed Service Identity (Highly recommended)
  • Using Service Principal and certificate
  • Using Service Principal and password (NOT recommended)
// Once you have a security token from one of the above methods, then create KeyVaultClient with vault credentials
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(securityToken));

// Get a SAS token for our storage from Key Vault. SecretUri is of the format https://<VaultName>.vault.azure.net/secrets/<ExamplePassword>
var sasToken = await kv.GetSecretAsync("SecretUri");

// Create new storage credentials using the SAS token.
var accountSasCredential = new StorageCredentials(sasToken.Value);

// Use the storage credentials and the Blob storage endpoint to create a new Blob service client.
var accountWithSas = new CloudStorageAccount(accountSasCredential, new Uri ("https://myaccount.blob.core.windows.net/"), null, null, null);

var blobClientWithSas = accountWithSas.CreateCloudBlobClient();

If your SAS token is about to expire, then you would fetch the SAS token again from Key Vault and update the code

// If your SAS token is about to expire, get the SAS Token again from Key Vault and update it.
sasToken = await kv.GetSecretAsync("SecretUri");
accountSasCredential.UpdateSASToken(sasToken);

Relevant Azure CLI commands

Azure CLI Storage commands

See also