Managed Azure Storage Account Keys for Azure Key Vault using the Azure Node SDK

This sample repo includes sample code demonstrating common mechanisms for managing storage account keys using Key Vault.

Prerequisites

  • node.js 8+
  • An Azure Service Principal for running the sample on your Azure account. You can create an Azure service principal using one of the following guides:

Quickstart

  1. If you don't have it, install node.js

  2. Set the following environment variables using the information from your service principal.

    export AZURE_SUBSCRIPTION_ID={your subscription id}
    export AZURE_CLIENT_ID={your client id}
    export AZURE_CLIENT_SECRET={your client secret}
    export AZURE_TENANT_ID={your tenant id as a GUID}
    export AZURE_CLIENT_OID={Object id of the service principal}
    

    On Windows, use set instead of export.

  3. Clone the repo, install node packages, and run.

    git clone https://github.com/Azure-Samples/key-vault-node-storage-accounts.git key-vault
    cd key-vault
    npm install
    node storage_account_sample.js
    

Note

Certain portions of this sample require authenticated user to execute. For this reason the sample will prompt the user to authenticate with a device code. For more details see in-line comments in storage_acount_sample.js

What does this sample do?

The storage account sample is broken down into 8 different methods called in sequence by the main() method in storage_account_sample.js:

async function main() {
  console.log('Azure Key Vault - Managed Storage Account Key Sample');
  
  // Get or create our sample vault
  const vault = await SampleUtil.getSampleVault();
  
  // Create and add a storage account to our sample vault
  const storageAccount = await addStorageAccount(vault);
  
  // Demonstrate updating properties of the managed storage account
  await updateStorageAccount(storageAccount, vault);
  
  // Demonstrate regeneration of a storage account key
  await regenerateStorageAccountKey(storageAccount, vault);
  
  // Demonstrate listing off the storage accounts in the vault
  await getStorageAccounts(vault);
  
  // Demonstrate the creation of an account-level SAS definition 
  await createAccountSASDefinition(storageAccount, vault);
  
  // Demonstrate the creation of a container-level SAS definition
  await createBlobSASDefinition(storageAccount, vault);
  
  // List all SAS definitions in the account
  await getSASDefinitions(storageAccount, vault);
  
  // Finally, remove the storage account from the vault
  await deleteStorageAccount(vault, storageAccount);
}

References and further reading