Thursday, March 9, 2017

Azure Storage Keys

Azure storage is the bed rock of many of the services in the Azure platform.  While there are a host of controls that can be put in place to protect/secure/monitor Azure storage, we need to remember that it is inherently a public facing service and there is not much we can do to change that.  Given a storage account name and one of the two storage account keys, anyone can access your azure storage account, from anywhere.  The goal of this post is to chat a little bit more about Azure storage keys.

It is important to note that there are two types of keys in Azure storage.  The Azure Storage Keys (ASK) and Shared Access Signatures (SAS).  This article focuses on the ASK and not SAS keys.  One interesting thing is that SAS tokens are actually signed by one of the ASK, so in theory regenerating a ASK will invalidate the SAS keys that were generated against it.

Azure storage keys are easily accessible via the REST api for Azure and this has been incorporated into the all major access forms (CLI, Portal, Powershell, etc).  From a portal perspective, simply navigate to the storage account in question and click on access keys.

More information about azure storage keys can be found in the following links:

From a powershell perspective, you can access the keys by running the Get-AzureRMStorageAccountKey cmdlet (  It is important to note that this command will simply print the keys to the console, and so please use this with caution.

I've created a little script using this technique that you can use to get storage account keys.

    [Parameter(Mandatory=$true,HelpMessage="Subscription ID to target")]
    [Parameter(Mandatory=$true,HelpMessage="Storage Account to target")]

Write-Host "Authenticating to Azure..." -ForegroundColor Cyan
    $context = Get-AzureRmContext
    if ($context.Subscription.SubscriptionId -ne $subscriptionId){
        throw "Not logged into the correct subscription"
    Login-AzureRmAccount -SubscriptionId $subscriptionId

$storageAccountReference = Find-AzureRmResource -ResourceNameEquals $storageAccountName `
                                                -ResourceType "Microsoft.Storage/storageAccounts"

if (-not $storageAccountReference){
    throw "Could not find $storageAccountName in $subscriptionID"

$keys = Get-AzureRmStorageAccountKey -ResourceGroupName $storageAccountReference.ResourceGroupName `
                                        -Name $storageAccountReference.Name

Write-Output $keys

Azure storage keys are used to provide remote access to the storage account.  It is important to note that these keys grant full permission to the storage account.  This access type was used prior to the release of SAS keys and most Azure documentation and services point to now using SAS keys for access rather than using the ASK keys directly.

Lastly, in order to be able to access the storage account keys, you need to have the required permissions on the resource itself.  Based on the official documentation, users looking to access the keys need to have contributor or owner permissions on the resource in question.