Azure Key Vault managed storage account - CLI

Note

Azure storage integration with Azure Active Directory (Azure AD) is now in preview. We recommend using Azure AD for authentication and authorization, which provides OAuth2 token-based access to Azure storage, just like Azure Key Vault. This allows you to:

  • Authenticate your client application using an application or user identity, instead of storage account credentials.
  • Use an Azure AD managed identity when running on Azure. Managed identities remove the need for client authentication all together, and storing credentials in or with your application.
  • Use Role Based Access Control (RBAC) for managing authorization, which is also supported by Key Vault.

An Azure storage account uses a credential that consists of an account name and a key. The key is autogenerated, and serves more as a "password" as opposed to a cryptographic key. Key Vault can manage these storage account keys, by storing them as Key Vault secrets.

Overview

The Key Vault managed storage account feature performs several management functions on your behalf:

  • Lists (syncs) keys with an Azure storage account.
  • Regenerates (rotates) the keys periodically.
  • Manages keys for both storage accounts and Classic storage accounts.
  • Key values are never returned in response to caller.

When you use the managed storage account key feature:

  • Only allow Key Vault to manage your storage account keys. Don't attempt to manage them yourself, as you'll interfere with Key Vault's processes.
  • Don't allow storage account keys to be managed by more than one Key Vault object.
  • Don't manually regenerate your storage account keys. We recommend that you regenerate them via Key Vault.
  • Asking Key Vault to manage your storage account can be done by a User Principal for now and not a Service Principal

The following example shows you how to allow Key Vault to manage your storage account keys.

Important

An Azure AD tenant provides each registered application with a service principal, which serves as the application's identity. The service principal's Application ID is used when giving it authorization to access other Azure resources, through role-based access control (RBAC). Because Key Vault is a Microsoft application, it's pre-registered in all Azure AD tenants under the same Application ID, within each Azure cloud:

  • Azure AD tenants in Azure government cloud use Application ID 7e7c393b-45d0-48b1-a35e-2905ddf8183c.
  • Azure AD tenants in Azure public cloud and all others use Application ID cfa8b339-82a2-471a-a3c9-0fc0be7a4093.

Prerequisites

  1. Azure CLI Install Azure CLI
  2. Create a Storage Account
    • Follow the steps in this document to create a storage account
    • Naming guidance: Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.

Step by step instructions on how to use Key Vault to manage Storage Account Keys

Conceptually the list of steps that are followed are

  • We first get a (pre-existing) storage account
  • We then fetch a (pre-existing) key vault
  • We then add a KeyVault-managed storage account to the vault, setting Key1 as the active key, and with a regeneration period of 180 days
  • Lastly we set a storage context for the specified storage account, with Key1

In the below instructions, we are assigning Key Vault as a service to have operator permissions on your storage account

Note

Please note that once you've set up Azure Key Vault managed storage account keys they should NO longer be changed except via Key Vault. Managed Storage account keys means that Key Vault would manage rotating the storage account key

Important

An Azure AD tenant provides each registered application with a service principal, which serves as the application's identity. The service principal's Application ID is used when giving it authorization to access other Azure resources, through role-based access control (RBAC). Because Key Vault is a Microsoft application, it's pre-registered in all Azure AD tenants under the same Application ID, within each Azure cloud:

  • Azure AD tenants in Azure government cloud use Application ID 7e7c393b-45d0-48b1-a35e-2905ddf8183c.
  • Azure AD tenants in Azure public cloud and all others use Application ID cfa8b339-82a2-471a-a3c9-0fc0be7a4093.
  • Currently you can use User Principal to ask Key Vault to manage a storage account and not a Service Principal
  1. After creating a storage account run the following command to get the resource ID of the storage account, you want to manage

    az storage account show -n storageaccountname 
    

    Copy ID field out of the result of the above command which looks like below

    /subscriptions/0xxxxxx-4310-48d9-b5ca-0xxxxxxxxxx/resourceGroups/ResourceGroup/providers/Microsoft.Storage/storageAccounts/StorageAccountName
    
         "objectId": "93c27d83-f79b-4cb2-8dd4-4aa716542e74"
    
  2. Assign RBAC role "Storage Account Key Operator Service Role" to Key Vault, limiting the access scope to your storage account. For a classic storage account, use "Classic Storage Account Key Operator Service Role."

    az role assignment create --role "Storage Account Key Operator Service Role"  --assignee-object-id <ObjectIdOfKeyVault> --scope 93c27d83-f79b-4cb2-8dd4-4aa716542e74
    

    '93c27d83-f79b-4cb2-8dd4-4aa716542e74' is the Object ID for Key Vault in Public Cloud. To get the Object ID for Key Vault in National clouds see the Important section above

  3. Create a Key Vault Managed Storage Account.

    Below, we are setting a regeneration period of 90 days. After 90 days, Key Vault will regenerate 'key1' and swap the active key from 'key2' to 'key1'. It will mark Key1 as the active key now.

    az keyvault storage add --vault-name <YourVaultName> -n <StorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id <Id-of-storage-account>
    

Step by step instructions on how to use Key Vault to create and generate SAS tokens

You can also ask Key Vault to generate SAS (Shared Access Signature) tokens. A shared access signature provides delegated access to resources in your storage account. With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. This is the key point of using shared access signatures in your applications--a SAS is a secure way to share your storage resources without compromising your account keys.

Once you've completed the steps listed above you can run the following commands to ask Key Vault to generate SAS tokens for you.

The list of things that would be accomplished in the below steps are

  • Sets an account SAS definition named <YourSASDefinitionName> on a KeyVault-managed storage account <YourStorageAccountName> in your vault <VaultName>.
  • Creates an account SAS token for services Blob, File, Table and Queue, for resource types Service, Container and Object, with all permissions, over https and with the specified start and end dates
  • Sets a KeyVault-managed storage SAS definition in the vault, with the template uri as the SAS token created above, of SAS type 'account' and valid for N days
  • Retrieves the actual access token from the KeyVault secret corresponding to the SAS definition
  1. In this step we will create a SAS Definition. Once this SAS Definition is created, you can ask Key Vault to generate more SAS tokens for you. This operation requires the storage/setsas permission.
$sastoken = az storage account generate-sas --expiry 2020-01-01 --permissions rw --resource-types sco --services bfqt --https-only --account-name storageacct --account-key 00000000

You can see more help about the operation above here

When this operation runs successfully, you should see output similar to as shown below. Copy that

   "se=2020-01-01&sp=***"
  1. In this step we will use the output ($sasToken) generated above to create a SAS Definition. For more documentation read here
az keyvault storage sas-definition create --vault-name <YourVaultName> --account-name <YourStorageAccountName> -n <NameOfSasDefinitionYouWantToGive> --validity-period P2D --sas-type account --template-uri $sastoken

Note

In the case that the user does not have permissions to the storage account, we first get the Object-Id of the user

az ad user show --upn-or-object-id "developer@contoso.com"

az keyvault set-policy --name <YourVaultName> --object-id <ObjectId> --storage-permissions backup delete list regeneratekey recover     purge restore set setsas update

Fetch SAS tokens in code

In this section we will discuss how you can do operations on your storage account by fetching SAS tokens from Key Vault

In the below section, we demonstrate how to fetch SAS tokens once a SAS definition is created as shown above.

Note

There are 3 ways to authenticate to Key Vault as you can read in the basic concepts

  • Using Managed Service Identity (Highly recommended)
  • Using Service Principal and certificate
  • Using Service Principal and password (NOT recommended)
// Once you have a security token from one of the above methods, then create KeyVaultClient with vault credentials
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(securityToken));

// Get a SAS token for our storage from Key Vault. SecretUri is of the format https://<VaultName>.vault.azure.net/secrets/<ExamplePassword>
var sasToken = await kv.GetSecretAsync("SecretUri");

// Create new storage credentials using the SAS token.
var accountSasCredential = new StorageCredentials(sasToken.Value);

// Use the storage credentials and the Blob storage endpoint to create a new Blob service client.
var accountWithSas = new CloudStorageAccount(accountSasCredential, new Uri ("https://myaccount.blob.core.windows.net/"), null, null, null);

var blobClientWithSas = accountWithSas.CreateCloudBlobClient();

If your SAS token is about to expire, then you would fetch the SAS token again from Key Vault and update the code

// If your SAS token is about to expire, get the SAS Token again from Key Vault and update it.
sasToken = await kv.GetSecretAsync("SecretUri");
accountSasCredential.UpdateSASToken(sasToken);

Relevant Azure CLI commands

Azure CLI Storage commands

See also