Azure Storage Account Access Keys

Introduction to Storage Account Access Keys

Azure Storage Account access keys are the primary method of authenticating to your Azure Storage Account. They provide full access to all data in your storage account. Each storage account has two access keys, a primary and a secondary, which can be regenerated. This document outlines how to generate, manage, and best practices for using these keys.

Important: Treat your storage account access keys like passwords. Do not share them publicly or embed them directly in client-side code.

Generating and Retrieving Access Keys

You can generate and retrieve your storage account access keys through the Azure portal, Azure CLI, or Azure PowerShell.

Using the Azure Portal

Navigate to your storage account in the Azure portal.
In the left-hand menu, under Security + networking, select Access keys.
The portal will display both the primary and secondary access keys. You can click the Show keys button to reveal them.
To regenerate a key, click the Regenerate button next to the key you wish to replace.

Using Azure CLI

Use the following Azure CLI command to list storage account keys:

az storage account keys list --account-name  --resource-group

To regenerate a key:

az storage account keys renew --account-name  --resource-group  --key primary

(Replace primary with secondary to renew the secondary key.)

Using Azure PowerShell

Use the following Azure PowerShell cmdlet to list storage account keys:

Get-AzStorageAccountKey -AccountName  -ResourceGroupName

To regenerate a key:

New-AzStorageAccountKey -AccountName  -ResourceGroupName  -KeyName primary

(Replace primary with secondary to regenerate the secondary key.)

Managing Access Keys

Rotating your storage account access keys regularly is a critical security practice.

Key Rotation Strategy

Regenerate one key at a time: Always regenerate the secondary key first, update your applications to use the new primary key, and then regenerate the original primary key to become the new secondary. This prevents downtime.
Use an automation script: Automate the key rotation process to ensure it happens consistently and on schedule.
Monitor key usage: Keep track of which applications or services are using which keys.

Tip: When regenerating a key, the old key remains valid for a short period, allowing you to update applications without immediate disruption.

Best Practices for Access Keys

Minimize exposure: Store access keys securely using Azure Key Vault or environment variables. Avoid hardcoding them in application code or configuration files.
Use Shared Access Signatures (SAS): For scenarios where clients need limited, time-bound access to specific resources, use Shared Access Signatures (SAS) instead of account access keys. SAS tokens provide more granular control and are inherently safer.
Principle of Least Privilege: If possible, use Azure AD authentication for services and applications to access storage accounts. This offers a more robust and manageable security model than shared keys.
Regular Auditing: Periodically audit who has access to your storage account keys and review access logs.

Security Considerations

Access keys grant full control over your storage account. If an access key is compromised, an attacker can read, modify, or delete your data, and incur costs on your behalf.

Warning: Never commit storage account access keys to source control repositories like Git. Use secure methods for storing and retrieving secrets.

For enhanced security, consider the following:

Azure Key Vault: Integrate your applications with Azure Key Vault to manage and rotate secrets like storage account access keys.
Azure RBAC: Use Azure Role-Based Access Control (RBAC) for managing permissions at a higher level. For fine-grained access to blobs, containers, or specific data, consider SAS tokens.
Network Security: Restrict network access to your storage account using firewall rules and private endpoints to reduce the attack surface.