Azure storage is the
bed rock of many of the services in the Azure platform. While there are a host of controls that can
be put in place to protect/secure/monitor Azure storage, we need to remember
that it is inherently a public facing service and there is not much we can do
to change that. Given a storage account
name and one of the two storage account keys, anyone can access your azure
storage account, from anywhere. The goal
of this post is to chat a little bit more about Azure storage keys.
It is important to
note that there are two types of keys in Azure storage. The Azure Storage Keys (ASK) and Shared
Access Signatures (SAS). This article
focuses on the ASK and not SAS keys. One
interesting thing is that SAS tokens are actually signed by one of the ASK, so
in theory regenerating a ASK will invalidate the SAS keys that were generated
against it.
Azure storage keys
are easily accessible via the REST api for Azure and this has been incorporated
into the all major access forms (CLI, Portal, Powershell, etc). From a portal perspective, simply navigate to
the storage account in question and click on access keys.
More information
about azure storage keys can be found in the following links:
- https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/Authentication-for-the-Azure-Storage-Services?redirectedfrom=MSDN
- https://docs.microsoft.com/en-us/azure/storage/storage-introduction#access-to-blob-table-queue-and-file-resources
From a powershell
perspective, you can access the keys by running the
Get-AzureRMStorageAccountKey cmdlet (https://docs.microsoft.com/en-us/powershell/resourcemanager/azurerm.storage/v2.3.0/get-azurermstorageaccountkey) It is important to note that this command
will simply print the keys to the console, and so please use this with caution.
I've created a
little script using this technique that you can use to get storage account
keys.
param( [Parameter(Mandatory=$true,HelpMessage="Subscription ID to target")] [string]$subscriptionId, [Parameter(Mandatory=$true,HelpMessage="Storage Account to target")] [string]$storageAccountName ) Write-Host "Authenticating to Azure..." -ForegroundColor Cyan try { $context = Get-AzureRmContext if ($context.Subscription.SubscriptionId -ne $subscriptionId){ throw "Not logged into the correct subscription" } } catch { Login-AzureRmAccount -SubscriptionId $subscriptionId } $storageAccountReference = Find-AzureRmResource -ResourceNameEquals $storageAccountName ` -ResourceType "Microsoft.Storage/storageAccounts" if (-not $storageAccountReference){ throw "Could not find $storageAccountName in $subscriptionID" } $keys = Get-AzureRmStorageAccountKey -ResourceGroupName $storageAccountReference.ResourceGroupName ` -Name $storageAccountReference.Name Write-Output $keys
Azure storage keys
are used to provide remote access to the storage account. It is important to note that these keys grant
full permission to the storage account.
This access type was used prior to the release of SAS keys and most
Azure documentation and services point to now using SAS keys for access rather
than using the ASK keys directly.
Lastly, in order to
be able to access the storage account keys, you need to have the required
permissions on the resource itself.
Based on the official documentation, users looking to access the keys
need to have contributor or owner permissions on the resource in question.
No comments:
Post a Comment