Azure Managed Storage account keys

2
votes

I am trying to use Azure Managed storage account keys. I succeeded in setting up a managed storage account with 1 day regeneration period for testing purposes. My questions are

  1. Is it possible for me to access this storage account from any other application e.g Storage Explorer, Cloud Explorer, Power BI Desktop etc. If yes, how to get the key?

  2. I still see keys for this storage account in azure portal. Are they invalid ? or will they change every time keyvault regenerates keys for this storage account?

  3. I had set -ActiveKeyName Key2. Each time i regenerate the key Key1 is being regenerated. If Key1 is regenerated then is Key2 still valid even after 1 day? This active key concept is not so clear in the documentation. Can someone explain it.

  4. Is Sas token the only way to get access to storage account resources. I just want to have full access to storage account for the regeneration period. is it possible without using Sas token?

  5. I created SAS Definition from powershell and create SAS token out of it whenever i want to access Storage account. I think SAS Token would be invalidated but not SAS Definion. I am assuming i don't have to handle expiry in the code because i always get new SAS Token. Am i doing it correctly?

1
azureazure-storageazure-keyvault
Sorry I misunderstood your question so my initial answer was inaccurate. I will see if I can come up with some more details tomorrowNiels

1 Answers

1
votes

I know it's been 11 months, and you either abandoned this or figured it out for yourself. I will answer your question in case anyone finds this question.

  1. Yes! Any application that you use should talk to the KeyVault to get a SAS token. Avoid using the storage account keys, they are still valid, but may change at any time. If you just need one time access you can use powershell to get a sas token that you can use.

  2. They are valid, but will change whenever KeyVault rotates them, so don't use them, and don't change them yourself.

  3. There are two valid keys at any one time. Only one of the keys are used to issue SAS tokens at any one time. This is the active key. When it is time to rotate, KeyVault regenerates the key that is not active, and then sets the newly created key as active.

    Lets do an example. Lets say the keys are called key1 and key2. key1 is equal to 'A' and key2 is equal to 'b'. Let key1 be the active key.

    1. Regenerate key2. key2 is now equal to 'c'
    2. Set key2 as active. New sas tokens are now generated with key2.

    Now the keys have been rotated, but key1 is still valid. It will be changed next time the keys are rotated. This way, as long as the rotation period is longer than the lifetime of the tokens, no token will become invalid before it expires.

  4. No the keys are still valid so they can also be used, but you don't know when they will change.

  5. The SAS definition is where the lifetime of a token is declared. When you created it, a secret was created in KeyVault. Every time you get that secret, you get a new token. If you do not store the token, but ask for a new every time you will always get a valid one. But you might want to cache the token, as going to KeyVault every time is slow.

How to create the managed storage account

How create the SAS definition