Manage storage account access keys
An access key is a unique identifier that you can use to authorize access to your storage account. Each Azure storage account has two access keys. You can generate new keys to replace existing ones. Rotating keys is a security best practice.
Overview
When you create an Azure Storage account, Azure generates two 512-bit keys for the account. These keys are also known as account keys. You can use these keys to authenticate requests to your storage account through Shared Key authorization. The storage account name and one of the keys together form a storage account credential.
There are two keys for each storage account:
- Key1
- Key2
You can use either key to authenticate your requests. For security best practices, you should rotate your storage account keys periodically. You can regenerate one key, update your applications to use the new key, and then regenerate the second key and update your applications again.
Why Rotate Keys?
Rotating your storage account access keys is a crucial security measure that helps protect your data. By regularly changing these keys, you mitigate the risk of unauthorized access if a key is compromised.
Steps to Regenerate Access Keys
Using the Azure Portal
- Navigate to your storage account in the Azure portal.
- In the left-hand navigation pane, under "Security + networking", select "Access keys".
- You will see "Key1" and "Key2". You can copy the keys from here.
- To regenerate a key, click the "Regenerate" button next to the key you want to replace.
- Confirm the regeneration.
- Important: Update your applications and services to use the new key before regenerating the second key.
- Repeat the regeneration process for the second key.
Using Azure CLI
You can use the Azure CLI to regenerate access keys. Replace <storage-account-name> and <resource-group-name> with your actual values.
# Regenerate Key1
az storage account keys regenerate --account-name <storage-account-name> --resource-group <resource-group-name> --keytype key1
# Regenerate Key2
az storage account keys regenerate --account-name <storage-account-name> --resource-group <resource-group-name> --keytype key2
Using Azure PowerShell
You can use Azure PowerShell to regenerate access keys. Replace <storage-account-name> and <resource-group-name> with your actual values.
# Regenerate Key1
New-AzStorageAccountKey -ResourceGroupName <resource-group-name> -AccountName <storage-account-name> -KeyName key1
# Regenerate Key2
New-AzStorageAccountKey -ResourceGroupName <resource-group-name> -AccountName <storage-account-name> -KeyName key2
Note
When you regenerate a key, the old key is immediately invalidated. Ensure you have updated all your applications and services with the new key before proceeding with the regeneration of the second key to avoid service disruption.
Security Warning
Treat your storage account access keys with the same level of security as your administrator passwords. Do not embed them directly in code or configuration files that are publicly accessible. Consider using Azure Key Vault for securely storing and managing secrets.
Best Practices
- Regular Rotation: Establish a schedule for rotating your access keys, for example, every 90 days.
- Use Both Keys: Leverage the two keys to perform a rolling update of your applications without downtime.
- Minimize Key Exposure: Avoid hardcoding keys. Use environment variables, configuration files with proper access controls, or Azure Key Vault.
- Use Managed Identities: For Azure services interacting with Azure Storage, consider using Managed Identities instead of access keys where possible. This is a more secure and convenient authentication method.
By following these guidelines, you can effectively manage and protect access to your Azure Storage accounts.
Last updated: October 26, 2023