Removing Secrets from Azure Function Config

0
votes

Like most Azure Functions in the beginning we have a connection string to the associated storageaccount that includes the Accountkey like this

DefaultEndpointsProtocol=https;AccountName=ourstorageAccount;EndpointSuffix=core.windows.net;AccountKey=WQfbn+VBhaY1fi/l0eRBzvAvngiCiOwPmx/==

We obviously want to remove that AccountKey. I had hoped we could use ManagedIdentity and the 'Contributor' Role but what I am reading is telling me you cannot use Managed Identity to access Tables in a Storage Account only Blobs.

I know that we could move the whole connection string to KeyVault but that just becomes ann Azure Management Issue if we want to rotate the keys.

Has anyone succesfully controlled access to Azure Table Storage with Managed Identities?

If not what is the next best approach that preferably allows for simple rotation of keys?

1
azureazure-storageazure-managed-identity
Any other concerns about this issue?Joy Wang-MSFT
I am also looking at this approach, docs.microsoft.com/en-us/azure/key-vault/secrets/…Pat Long - Munkii Yebee
Yes, this way can rotate the storge key, but the key is not stored in the keyvault, you need to store it manually in the keyvault, and when the key was regenerated, the old key you stored in the keyvault will not be changed autoamtically, you need to updated it manually, it is inconvenient. In your case, I think this way I mentioned is more suitable docs.microsoft.com/en-us/azure/key-vault/secrets/… You just need to reference the keyvault secret, the secret will be updated when the storage key regenerated automatically.Joy Wang-MSFT
I've not been able to run the Azure ARM deployments so am trying to deploy the individual pieces for the secrets/tutorial-rotation-dual approach. Where's best to ask some questions so as to check my understanding?Pat Long - Munkii Yebee
I think you can ask the steps you don't understand with the azure-keyvault tag, remember not to ask serveral different questions in one post.Joy Wang-MSFT

1 Answers

1
votes

Has anyone successfully controlled access to Azure Table Storage with Managed Identities?

Definitely it is unable to access azure table storage with MSI(managed identity, essentially it is a service principal in azure ad), when using MSI to access some azure resources, it essentially uses the azure ad client credential flow to get the token, then uses the token to access the resource.

However, azure ad auth just supported by azure blob and queue storage, table storage doesn't support it currently, see - Authorize access to blobs and queues using Azure Active Directory.

If not what is the next best approach that preferably allows for simple rotation of keys?

You could use azure function to do that, follow this doc - Automate the rotation of a secret for resources with two sets of authentication credentials, I think it completely meets your requirement, this tutorial rotates Azure Storage account keys stored in Azure Key Vault as secrets using a function triggered by Azure Event Grid notification.