Using Azure Key Vault to manage Storage Account keys

I didn’t know this until today, but you can manage your Azure Storage account keys with Key Vault. This isn’t something visible in the Portal so I was pleased to discover it.

In the Portal, all you see within a Key Vault and keys, secrets, and certificates. In the CLI though you also get storage accounts.

There is a Microsoft article on how to go about doing this which you should refer to if you want the official steps. What follows below is me trying it out plus expanding on it.

I start with setting some variables so I can refer to things easily:

Replace the above with appropriate values.

After that I go ahead and create a Storage Account and a Key Vault in the resource group. Standard stuff. I could have done this via the Portal too:

Next step is to assign the Key Vault permissions to the Storage Account. Since permissions are assigned using Azure AD as the identity source, Microsoft has already made the Key Vault available in Azure AD as an application. You can find it in the portal under “Azure Key Vault” and it has the following application ID across all tenants (varies depending on which Azure cloud you are in but within the cloud the ID is common across tenants).

The above screenshot is just for illustration. We don’t actually need to use it.

It’s not possible to assign permissions via the Portal to the Key Vault. One must use the CLI:

It is possible to replace with the application ID too.

At this point the Key Vault application has the operator role to the Storage Account. This can be seen in the portal too under the Storage Account IAM.

Typically the admin account using which we created the Key Vault would have permissions to manange keys, secrets, etc. and we can see this in the “Access Policies” section of the Key Vault. Not visible there, but the account also has permissions on the storage accounts section of a Key Vault. This can be seen via the CLI:

The Microsoft article gives the admin account some more rights so we do that next:

And lastly we tell the Key Vault to start managing the keys of this Storage Account. Basically we are adding the Storage Account to the Key Vault, similar to how we’d add a Key, Secret, and Certificate. We also need to tell it which key is the currently active one (key1 or key2):

In the snippet above we are also telling the Key Vault to automatically rotate keys every 90 days. Which of course is the point of doing this via a Key Vault as that will manage the key for you.

If I want to manually regenerate a key (e.g. key2 below) I can now do it from the Key Vault (again, via CLI as all this doesn’t appear in the Portal):

I am not a 100% sure how to use all this as I am not a developer.

How would I access one of these keys though? That’s another reason to use a Key Vault – manage access to information. I will use curl to access the key.

First, get the URL of the Storage Account in the Key Vault:

The URL ends with /storage/<storageaccount> but I got the impression from this article that it should be /storageaccount instead. *shrug*

The request URL format can be found in this article. In addition to the URL above I have to specify the key I am interested in and also the API version. The API version is mandatory as there’s no default version, and is of the format {YYYY}.{MM}.{DD}. I wasnt’ sure where to find the API version from, but a quick Google got me to this reference page and the examples there had 2019-09-01.

If I were to try and access via curl this will understandably return an error:

If I do the same with the option to show headers it shows me where to go and get a token (e.g. my tenant ID):

This Microsoft article supposedly has steps on how to authenticate with Azure AD and get a token but it didn’t make much sense to me. Basically we have to create an application in Azure AD representing my curl “application” above and use that can get the access token. Instructions for doing it via the Portal are here but that too didn’t make much sense to me… so I gave up. I do want to figure out how to use the REST APIs so will revisit it later I suppose.