Rotating Access Keys for Your Azure Storage Account

When you create an Azure storage account, you will generate two 512-bit access keys that can be used to permit access to your storage account via Shared Key Authorization. But what happens if these keys get compromised?

To mitigate the risk of compromised keys, it’s a good security practice to regularly rotate these keys. If you use Azure Key Vault, you can automate this process by configuring a rotation policy. If you don’t have a rotation policy set up already, you can manually rotate your access keys and set up an expiration policy to remember when you need to rotate keys again next.

In this guide, we’ll show you how to manually rotate the access keys for your Azure storage account.

Blink Automation: Rotate Azure Storage Account Access Keys and Send Confirmation to Slack

Azure + Slack

Try This Automation

What permissions do you need?

To rotate the access keys, you must be a Service Administrator or have a role that includes the action: Microsoft.Storage/storageAccounts/regeneratekey/action. If you are in a standard Owner, Storage Account Key Operator, or Contributor role, you have sufficient permissions.

Rotating Access Keys for Your Azure Storage Account

Azure provides you with two access keys so that you can renew keys without disrupting your application’s performance. You should be referencing only one of the keys (primary or secondary) in your application code. This way, you can renew the key not being currently used and switch the reference back and forth to keep your keys up to date.

If you use one key in a few applications and the second key in others, you’ll lose access to some applications while you are rotating keys.

To rotate storage access keys, you can use either the Azure portal or the Azure CLI.

Using the Azure Portal:

1. Go to your storage account in the Azure portal.

2. To get your current access keys, navigate to Security + networking, select Access keys.

When you click Show keys, you’ll be able to copy the values for each key and their respective connection strings. You’ll want to copy the value of the key you are not currently using in your application code. Let’s assume you are not currently using your secondary key.

3. Paste the secondary key value into the connection string in your application code. Your connection string will look like this:

DefaultEndpointsProtocol=https;AccountName=<account-name>;AccountKey=<account-key>

4. Head back to your storage account in the Azure portal, and choose the Access Keys option below Security + networking.

5. Select Regenerate to renew the primary access key for your Azure storage account.

6. You can copy the new primary access key value and, similar to step 3, paste it into the connection string in your application code to reference the new primary access key.

7. Once you have validated that your application is successfully referencing the new primary key, you can use steps 4 and 5 to rotate the secondary access key. You can repeat this process periodically to ensure you have secure access keys.

Using the Azure CLI:

You can rotate access keys for your Azure storage account with the Azure CLI by following the steps below:

1. First, can run the following command to view your primary and secondary access keys:

az storage account keys list \
  --resource-group <resource-group> \
  --account-name <storage-account>

Copy the account key that you are not currently using in the connection string in your application code. Let’s assume you are not currently using your secondary key.

2. Paste the secondary access key value into the connection string in your application code. The connection string will look like this:

DefaultEndpointsProtocol=https;AccountName=<account-name>;AccountKey=<account-key>

Doing this step allows you to renew the primary key without disrupting your application’s performance. There’s no simple way to do this with a CLI command.

3. Now, you can use the az storage account keys renew command to regenerate the primary key:

az storage account keys renew \
  --resource-group <demo-resource-group> \
  --account-name <demo-storage-account> \
  --key primary 

4. Now that you have your new primary key, you can paste it into the connection string in your application code, just like in step 2.

5. Now that you have rotated your primary key and removed the connection string reference to your secondary key, you can run step 3 to renew your secondary key value too. Once you’ve done this, you will have successfully rotated the access keys for your Azure storage account.

Automatically Rotate Access Keys with Blink Automations

To periodically rotate access keys for your Azure storage account, you can do it manually, but that means taking the time to work through these steps each time. It’s time-intensive and requires context-switching.

With Blink, you can run this automation to ensure that access keys have been rotated within the last 90 days.

When you run this automation, it executes the following steps:

1. Scans your Azure account to see if any Storage Account Access Keys have not been rotated within the last 90 days.
2. Sends a report to a designated email address.

This is a simple automation, and it’s easy to customize to fit your ideal workflow. You can add an approval step to take action like rotating keys or sending notifications via Slack or Teams.

You can use any of the 5K automations in the Blink library, or build any automations from scratch using hundreds of configurable drag-and-drop actions.

Get started with Blink and see how easy automation can be.