Learn about Azure Storage Access Keys and why these keys are so important. Also, learn how the proper procedure to regenerate the keys when required.
- [Narrator] A storage account has two access keys, a primary and a secondary that can be used to authenticate to your storage resources. There may be times when you will need to regenerate the access keys. For example, you may need to meet company policy or if a storage account has been compromised. Microsoft recommends the following steps to regenerate your storage keys. The first thing you'll do is update all applications that currently use a storage key to use the secondary key. Then, regenerate the first key, update the applications to use that first key, the one you just regenerated, and then regenerate the second key.
Following this process, the application does not lose connectivity to the storage resources. Talking about the access keys is okay, but let's actually take a look at them. As you can see, I've logged in to Azure and I have a list of my current resource groups. The resource group that I want to access is ManageAccess. And you'll notice I already have two storage accounts already created. We're going to focus in on accessdemo. You will find access keys under Settings and here we have our two access keys.
We have key1 and key2. If you did want to share your access keys, you go ahead and copy it and then distribute it as necessary. But as you can see up in the blurb up at the top, Microsoft does not recommend that you just give out your access keys. There are other ways where we can allow access to your storage resources. Following the process that we just stepped through, if I wanted to regenerate I would go ahead, point my applications to key2, regenerate key1.
Yes, I am being prompted. Do I really want to do this? Yes I do. You'll notice that key1 changed. I would now go ahead and take that application, point it to key1, and then regenerate key2. Again, I have the same warning. Do I really want to do this? And then click Yes. You can also run through the same process using PowerShell. And I'll show you that right now. I've logged in to PowerShell ISE in administrative mode. And I have already logged in to my Azure account.
The first thing I want to do is actually retrieve my keys. To do so, I'm going to use the command get-AzureRmStorageAccountKey. Next I need to specify the resource group name which I had called Manage Access. And I need to specify the storage name. Which was Access Demo. Those are our two keys that we have generated. You will also notice it states that our permissions are full. And that's something to keep in mind with your access keys. They do have full permission to your storage resource.
In order to regenerate a storage key, I'm going to use the command New-AzureRmStorageAccountKey. Again I'm going to specify the resource group, the name of the storage account, and then the key I wish to generate. And go ahead and click Enter. And I'm going to go ahead and rerun my first command, Get-AzureRmStorageAccountKey. And you'll notice that our key values have now been changed. As we've already stated, this is probably not the best way to allow access to your storage resources.
We can also use shared access signatures and stored access policies. Which we'll be discussing in the next video.
- Implementing storage blobs and Azure files
- Managing access
- Configuring diagnostics, monitoring, and analytics
- Enabling and viewing logs
- Implementing Azure SQL databases
- Implementing recovery services
- Creating an Azure Backup vault
- Configuring the Azure Backup agent
- Backing up and restoring files
- Backing up an Azure virtual machine