Hello EnterpriseArchitect,
Welcome to Microsoft Q&A Forum. Thanks for posting your query here!
I understand that your request to automate the regular rotation of the Azure Storage Account access keys, with the objective of ensuring that both access keys are rotated on a daily basis.
To Integrate Storage Account with Key Vault, we recommend you navigate to your storage account, under "Security + networking," select "Access keys." Click "Connect to Key Vault." and Select the desired Key Vault and choose a Key Vault Secret to store the access keys.
To Configure Key Vault Rotation, configure automatic key rotation for the selected secret. Define a rotation schedule (e.g., daily). Key Vault will automatically regenerate the secret (which contains your storage account access keys) according to the schedule.
Post which Use Azure CLI or PowerShell to add your storage account as a managed storage account in Key Vault and Specify the regeneration period for the keys (e.g., daily).
az keyvault storage add --vault-name <YourKeyVaultName> --name <YourStorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period "P1D" --resource-id <YourStorageAccountResourceId>
Ensure your applications are configured to retrieve the latest access keys from Key Vault.
Permissions:
Assign the "Storage Account Key Operator Service Role" to the Key Vault to allow it to manage the keys and Set access policies in Key Vault to allow your service principal or user to manage the storage account keys.
Key Management:
Rotate one key while keeping the other in use to avoid service disruptions. Set up alerts for key usage and rotation to ensure compliance with security policies. Consider disabling shared key access to enhance security and rely solely on Azure Key Vault for key management.
Additional information:
- Store the storage account access keys as secrets in Azure Key Vault. You can create two versions of the same secret, alternating between the primary and secondary key.
- Configure Azure Event Grid to publish a "near expiry" event 30 days before the expiration date of a secret. This event will trigger the function to rotate the keys.
- Develop a function that will handle the rotation process. When triggered by the Event Grid, this function should identify the alternate key (not the latest one), regenerate it, and update the Key Vault with the new key.
- You can set the expiration for the secrets to 60 days, which will ensure that the rotation function is triggered every 30 days, allowing for regular updates.
- After implementing the rotation, monitor the access keys and verify that they have been regenerated correctly by comparing them with the secrets stored in Key Vault.
References:
- Manage storage account access keys- https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#manage-storage-account-access-keys
- Automate the rotation of a secret for resources that have two sets of authentication credentials-https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli#automate-the-rotation-of-a-secret-for-resources-that-have-two-sets-of-authentication-credentials
The above provided information can automate the rotation of Azure Storage Account access keys on a daily basis, enhancing the security of your storage resources.
Let me know if you have any question or concerns, we are here at your service.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. which might be beneficial to other community members reading this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
