I recently came across a requirement to store the Storage account SAS key securely and automatically renew it based on the retention period. SAS keys are used for transferring data on the Storage account with the least possible permissions. SAS keys are much safer than sharing storage account master keys.
What is Shared access signature (SAS)
A shared access signature (SAS) provides secure delegated access to resources in the storage account. With SAS, we can provide granular control over how a client can access the data. For example:
- What resources the end-user or client may access.
- What permissions are defined and authorized to those resources.
- How long the SAS key is valid for accessing the data.
A shared access signature is a signed URI that points to one or more storage resources. The URI includes a token that contains a special set of query parameters.
Key Vault Managed storage account keys
Azure Key Vault manages storage account keys and it periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in the storage account. The things to remember:
- We can use both storage accounts and Classic storage accounts.
- When using a key vault to manage a storage account, don’t use a manual method to regenerate keys.
- Don’t allow multiple Key vaults to manage a single storage account.
Azure Key Vault is a Microsoft application that’s pre-registered in all Azure AD tenants. Key Vault is registered under the same Application ID in each Azure cloud.
| Tenants | Cloud | Application ID |
| Azure AD | Azure Government | 7e7c393b-45d0-48b1-a35e-2905ddf8183c |
| Azure AD | Azure Public Cloud | cfa8b339-82a2-471a-a3c9-0fc0be7a4093 |
| Other | Other | cfa8b339-82a2-471a-a3c9-0fc0be7a4093 |
I have created a PowerShell Script for the usage and stored in Github space. The Github url: https://github.com/santhosha021/az-kv-managedstorage/blob/main/az-kv-managedstorage.ps1
Things to note:
- The script has a retention period of 30 days and it can be changed as per the business needs.
- The end of the script has output commands to verify the SAS URI with the retention period.
- The values stored in the Key vault cannot visible in the portal or PowerShell.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
