.NET SDK samples illustrating the management and consumption of Azure Key Vault-managed storage account keys.
This repo contains sample code demonstrating the management and consumption of Azure Storage account keys via Azure Key Vault, using the Azure .Net SDK. The scenarios covered by these samples include:
- Setting up and managing a storage account in a key vault: adding, removing, backing up, restoring and recovering an account
- Setting up and managing SAS token definitions in a key vault: adding, removing, backing up, restoring and recovering a SAS definition
- Consuming a SAS token - obtaining it from Azure Key Vault, and using it to access an Azure Storage endpoint
Support for Azure Key Vault-managed storage account may be colloquially referred to as 'MSAK'; SAS stands for shared access signature. We assume reader familiarity with Azure Storage in general, and SAS tokens in particular.
Samples in this repo:
- Add and delete a managed storage account
- List and get existing managed storage accounts
- Backup and restore, delete and recover a managed storage account; permanently delete a managed storage account in a soft-delete enabled vault
- Set the storage account key regeneration period
- Rotate on demand the active storage account key
- Add and delete a managed storage SAS definition; recover a deleted managed storage SAS definition
- List and get existing managed storage SAS definitions
- Obtain a SAS token from Azure Key Vault and use it to access an Azure Storage endpoint
Use the latest Key Vault SDK
The Key Vault SDK previously used to manage storage accounts is based on Microsoft.Azure.KeyVault. We now recommended you use role-based access control (RBAC) to secure access to your storage accounts. ShareLink demonstrates how to generate a client library for Azure Key Vault manages storage accounts based on latest Key Vault SDK.
Note that this sample needs permissions
purge, so step 4 of Getting Start in ShareLink should be updated using the Azure CLI to the following command:
az keyvault set-policy --name <KeyVaultName> --upn <email@example.com> --storage-permissions get list set update regeneratekey getsas listsas setsas deletesas recover backup restore purge
- OS: Windows
- KeyVault data SDK: Microsoft.Azure.KeyVault ver. 3.0.0+
- an active Azure subscription, in which you have the Key Vault Contributor role
- an Azure key vault
- an Azure Active Directory application, created in the tenant associated with the subscription, and with access to KeyVault; please see Accessing Key Vault from a native application for details.
- the credentials of the AAD application, in the form of a client secret
- an Azure Storage account, which you have access to (for data and management)
- a user account, with List and Manage permissions to the storage account
- open the solution in Visual Studio - NuGet should resolve the necessary packages
Follow these steps to get started with this sample:
- git clone https://github.com/Azure-Samples/key-vault-dotnet-managed-storage.git
- cd key-vault-dotnet-managed-storage
- edit the app.config file, specifying the tenant, subscription, AD app id and secret, and storage account and its resource id
- dotnet run --project AzureKeyVaultManagedStorageSamples\AzureKeyVaultManagedStorageSamples.csproj
Note that storage account management requires a user account, and that the sample will interactively ask for a user login.
Please see the following links for additional information: