Managing the rotation of Azure storage account keys with Azure Function and Key Vault

0
votes

Having asked a question about Removing Secrets from Azure Function Config this Microsoft approach was recommended for managing the rotation of keys for Azure Storage Accounts and the keeping of those keys secret in Azure KeyVault

Note we are accessing Tables in an Azure Storage Account and Tables unlike Blobs and Queues do not support Managed Identity access controls.

The recommendation comes with some Azure Deplyment templates that would not run for me so I decided to create the resources myself to check my understanding of the approach. After trying to follow the recommendation I have some questions

Existing situation:

  1. An existing function called "OurAzureFunction" that currently has the Storage Account connection string configured with the key directly in the Function config.
  2. An existing storage account called "ourstorageaccount" that contains the application data that "OurAzureFunction" operates on

My understanding of the recommendation is that it introduces

  1. "keyRotationAzureFunction", an Azure function with two Httptriggers, one that responds to event grid event for secrets that are soon to expire and one that can be called to regenerate the keys on demand.
  2. "keyRotationKeyVault", a Key Vault that is operated on by the keyRotationAzureFunction.
  3. An Event Grid subscription that listens to SecretNearExpiry event from "keyRotationKeyVault"

I have issues with understanding this approach. I can't see a better way but to collate the issues in this Stack Overflow question rather than with three individual questions.

  1. Does keyRotationAzureFunction have the "Storage Account Key Operator Service Role" on "ourstorageaccount" so that it can regenerate its' keys?
  2. What configuration does "OurAzureFunction" have that allows it to create a connection to ourstorageaccount? Is it the tagged secret in "keyRotationKeyVault"?
  3. Is the value of the secret in "keyRotationKeyVault" not used just the tags related to the secret?
2
azure-storageazure-keyvault
That article is a bit dated, and while it's supported the recommended approach is to use Managed Identity, which you can use with Azure Functions to, say, access Storage. See docs.microsoft.com/samples/azure-samples/…. You don't have to worry about rotating keys, and a password or token is never shared, making it easier to secure than a shared access token (and why we don't support managing storage keys in the new Key Vault SDK anymore). Would that work better for you?Heath
Managed Identify didn’t work against Tables in a Storage Account. This question came after I asked a question about our current scenario and this as approach was recommendedPat Long - Munkii Yebee
Question updated referencing earlier SO question and making the point that we are using Azure Table StoragePat Long - Munkii Yebee

2 Answers

1
votes

  1. Yes, the function has to run as a principal that can rotate the keys, which that role provides. Key rotation can be kept as a separate role so that you can provide granular access to secrets to avoid leaks.

  2. The function (rather, the principal) just needs "get" access to a secret used for generating SAS tokens (it's a special kind of secret where the value returned will change to generate new SAS tokens) that grants access to storage. The Key Vault must be configured to manage tokens for the Storage account. See a sample I just published recently at https://docs.microsoft.com/samples/azure/azure-sdk-for-net/share-link/ which I hope simplifies the problem.

  3. The value of the secret is actually the generated SAS token for the storage account. The tags are used to figure out which secret to use for the storage account in case you have other secrets in your Key Vault, or even manage multiple function apps this way (you can identify the correct secret for the storage account key near expiry).

1
votes

I'm not sure why ARM templates did not work for you. You need to be an owner of Storage and Key Vault to create necessary permissions. To answer your questions:

  1. Yes
  2. Yes it is using tags to with Storage information to connect and regenerate key
  3. Value is not not for connection to Storage, but it could be an alternative way to connect. You can see more information about tags here: https://github.com/jlichwa/KeyVault-Rotation-StorageAccountKey-PowerShell