Azure for AWS professionals - Storage - Azure - 04 Securely Accessing Storage Accounts

@20aman    Sep 07, 2019

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

When working with Microsoft Azure Storage accounts, you will need to access these accounts either from a program or programmatically from a script or code. There are two primary ways to securely access your storage accounts. In this post, we will review these and find out how to access their settings from the portal.

Access Keys

The first is to use the Access keys. Linked to every storage account, there are two access keys. These are referred to as primary and secondary keys or simply key1 and key2. To access these keys, navigate to your storage account and then click on the "Access keys" under settings. Note that you only need one key (anyone) to be able to connect to the storage account. Now when you are using a tool like Storage Explorer or PowerShell scripts to connect to your storage account, you can use this key along with the name of the storage account to connect and perform operations.

Access Keys

Note that these keys are like keys to the kingdom for your storage accounts. You can't tweak the control and restrict it in any way. These keys are meant only for the administrators and should not be used by anyone else. You also can't set any kind of expiry on these keys. So once somebody has these keys they can keep on using these to access the storage accounts. The only way to change is to access the keys and click on the refresh arrow symbol next to the key1 or key2 text to regenerate these keys. As a best practice, you should always use SAS tokens i.e. Shared Access Signature keys to perform any operations.

Shared Access Signature (SAS tokens)

SAS tokens are the way you should be accessing the storage accounts, programmatically or otherwise. These are what you should be using (with an expiry date) to give temporary access to anybody in your organization or even outside if there is any sensitive data on your storage accounts.

From official page: "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you grant them access to a resource for a specified period of time. An account-level SAS can delegate access to multiple storage services (i.e. blob, file, queue, table). Note that stored access policies are currently not supported for an account-level SAS."

Shared access signature

Once you tweak all the settings for what kind of access you want to provide, then click on "Generate SAS and connection string" it will generate a Shared Access Signature (SAS token), and a connection string and various URIs using that SAS token. These URIs for storage account's blob, file share, tables and queue services.

Shared access signature Connection string and URLs

Now you know the best way to connect to your storage accounts securely. Depending upon your situation ensure to use the correct approach. If in confusion, always go with Shared Access Signatures.





Comments powered by Disqus