Back to Blog

Rotating Access Keys for Your Azure Storage Account

It's a good security practice to regularly rotate the access keys for your Azure storage accounts. In this guide, we'll show you how to do it with the Azure portal and Azure CLI.

azure-logo

When you create an Azure storage account, you will generate two 512-bit access keys that can be used to permit access to your storage account via Shared Key Authorization. But what happens if these keys get compromised?

To mitigate the risk of compromised keys, it’s a good security practice to regularly rotate these keys. If you use Azure Key Vault, you can automate this process by configuring a rotation policy. If you don’t have a rotation policy set up already, you can manually rotate your access keys and set up an expiration policy to remember when you need to rotate keys again next.

In this guide, we’ll show you how to manually rotate the access keys for your Azure storage account.

Blink Automation: Rotate Azure Storage Account Access Keys and Send Confirmation to Slack
Azure + Slack
Try This Automation

What permissions do you need?

To rotate the access keys, you must be a Service Administrator or have a role that includes the action: Microsoft.Storage/storageAccounts/regeneratekey/action. If you are in a standard Owner, Storage Account Key Operator, or Contributor role, you have sufficient permissions.

Rotating Access Keys for Your Azure Storage Account

Azure provides you with two access keys so that you can renew keys without disrupting your application’s performance. You should be referencing only one of the keys (primary or secondary) in your application code. This way, you can renew the key not being currently used and switch the reference back and forth to keep your keys up to date.

If you use one key in a few applications and the second key in others, you’ll lose access to some applications while you are rotating keys.

To rotate storage access keys, you can use either the Azure portal or the Azure CLI.

Using the Azure Portal:

1. Go to your storage account in the Azure portal.

2. To get your current access keys, navigate to Security + networking, select Access keys.

When you click Show keys, you’ll be able to copy the values for each key and their respective connection strings. You’ll want to copy the value of the key you are not currently using in your application code. Let’s assume you are not currently using your secondary key.

azure storage access keys
Source – Azure documentation: View account access keys

3. Paste the secondary key value into the connection string in your application code. Your connection string will look like this:

DefaultEndpointsProtocol=https;AccountName=<account-name>;AccountKey=<account-key>

4. Head back to your storage account in the Azure portal, and choose the Access Keys option below Security + networking.

5. Select Regenerate to renew the primary access key for your Azure storage account.

6. You can copy the new primary access key value and, similar to step 3, paste it into the connection string in your application code to reference the new primary access key.

7. Once you have validated that your application is successfully referencing the new primary key, you can use steps 4 and 5 to rotate the secondary access key. You can repeat this process periodically to ensure you have secure access keys.

Using the Azure CLI:

You can rotate access keys for your Azure storage account with the Azure CLI by following the steps below:

1. First, can run the following command to view your primary and secondary access keys:

az storage account keys list \
  --resource-group <resource-group> \
  --account-name <storage-account>

Copy the account key that you are not currently using in the connection string in your application code. Let’s assume you are not currently using your secondary key.

2. Paste the secondary access key value into the connection string in your application code. The connection string will look like this:

DefaultEndpointsProtocol=https;AccountName=<account-name>;AccountKey=<account-key>

Doing this step allows you to renew the primary key without disrupting your application’s performance. There’s no simple way to do this with a CLI command.

3. Now, you can use the az storage account keys renew command to regenerate the primary key:

az storage account keys renew \
  --resource-group <demo-resource-group> \
  --account-name <demo-storage-account> \
  --key primary 

4. Now that you have your new primary key, you can paste it into the connection string in your application code, just like in step 2.

5. Now that you have rotated your primary key and removed the connection string reference to your secondary key, you can run step 3 to renew your secondary key value too. Once you’ve done this, you will have successfully rotated the access keys for your Azure storage account.

Automatically Rotate Access Keys with Blink Automations

To periodically rotate access keys for your Azure storage account, you can do it manually, but that means taking the time to work through these steps each time. It’s time-intensive and requires context-switching.

With Blink, you can easily create an automation that regularly rotates access keys on a recurring basis. With a click, you can switch the access key being referenced to the secondary key, renew your primary access key, and then update those systems back to reference the primary key seamlessly. 

By automating this entire workflow, you can ensure that all account access keys are rotated regularly without disruption.

Create your free Blink account and boost your AWS security posture today.

Simplify your cloud operations

Sign up for Blink today

Transform your cloud operations today with a library of purpose-built DevOps and SecOps playbooks and hundreds of integrations.

Sign up