[QUERY] How do I programmatically set-up storage account access keys for auto rotation in key vault?

[aniruddhagore1984]

Query/Question
I intend to accomplish the following:

1. create a storage account
2. create a key vault
3. add the storage account to the key vault aka add access keys to vault
4. set-up storage access keys for auto rotation

I am developing in C# and have managed to accomplish (1) and (2) but not getting any help in docs for (3) and (4). Could you please point me in the right direction?

Environment:

• Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects): Windows 10 .NET Framework
• IDE and version : Visual Studio

[blueww]

@aniruddhagore1984

This need both storage SDK and key vault SDK.

For storage SDK side：

first you will need assign an identity to the storage account, and get the account identity ID, like following.

                var updateParameters = new StorageAccountUpdateParameters()
                {
                    Identity = new Identity() { Type = IdentityType.SystemAssigned }
                };
                account = storageMgmtClient.StorageAccounts.Update(rgname, accountName, updateParameters);
                string accountId = account.Identity.PrincipalId;

Then you need give the accountId wrapkey,unwrapkey,get access to the keyvault, and you also need create a key with Destination as Software in the keyvault. This part depends on Keyvault SDK, need keyvault SDK owner to answer.

Finally, you can update the keyvault key information to the storage account. As you need enabled key auto rotation, just skip set key version.

               updateParameters = new StorageAccountUpdateParameters
                {
                    Encryption = new Encryption
                    {
                        Services = new EncryptionServices { Blob = new EncryptionService { Enabled = true }, File = new EncryptionService { Enabled = true } },
                        KeySource = "Microsoft.Keyvault",
                        KeyVaultProperties =
                            new KeyVaultProperties
                            {
                                KeyName = keyVaultKey.KeyIdentifier.Name,
                                KeyVaultUri = keyVault.Properties.VaultUri
                            }
                    }
                };

                account = storageMgmtClient.StorageAccounts.Update(rgname, accountName, updateParameters);

For you reference, this is a sample to enable CMK in Powershell: https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=powershell

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

Issue Details

---

Query/Question
I intend to accomplish the following:

1. create a storage account
2. create a key vault
3. add the storage account to the key vault aka add access keys to vault
4. set-up storage access keys for auto rotation

I am developing in C# and have managed to accomplish (1) and (2) but not getting any help in docs for (3) and (4). Could you please point me in the right direction?

Environment:

• Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects): Windows 10 .NET Framework
• IDE and version : Visual Studio

Author:	aniruddhagore1984
Assignees:	blueww
Labels:	KeyVault, Mgmt, Service Attention, Storage, customer-reported, needs-author-feedback, question
Milestone:	-

[jlichwa]

@aniruddhagore1984 if you are looking for managed storage account keys feature, here is the sample in .NET https://docs.microsoft.com/en-us/samples/azure/azure-sdk-for-net/share-link/

This feature does not add storage account key to key vault, just use Key Vault to manage access by generating storage account keys SAS tokens, more can be find here:
https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys

Other than that when direct access to keys is required, key vault does not provide any built in way to rotate access keys in key vault besides using function like here:
https://docs.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!