Storage accounts in Azure comes with 2 keys. These keys basically give root access, so it can be beneficial for you to rotate to prevent storing of keys in an unsecure way, or sharing/abuse.
You can now block access, however some may need on an in-frequent basis.
Enabling when needing to use and disabling when not could be a solution but would depend on a manual process/ check. It’s purely based on your design.
In this solution, I will show you how to automate the rotation of these keys by using an Azure automation account runbook.
Let’s create our Automation Account, and Runbook, selecting Powershell.
Once we have that, we need to configure our Automation account so that it has the necessary access and modules.
For the access, it will need the RBAC Storage Account Key Operator Service Role and reader access (Able to view resource):
If you are only planning to deploy to select Storage accounts, you can apply granular access, else it may be beneficial to use management groups, or apply higher up. This is so that you can run the automation against any newly created storage accounts.
For the script to be able to run, you will need the AZStorage module, so please do check it is installed and up to date (Should be by default):
Now that we have our access and modules, we can simply edit the runbook and paste the following code: [Code here]
You can prove you have this right, by running the Test Pane and clicking Start.
If you see fails, it may be due to permissions or visibility of accounts (Read access).
Once happy, you can setup your schedule:
In this example, I’ve setup to run, every Friday at 1PM. I would recommend setting this and documenting it somewhere so that people are aware.
For exclusions, you could loop in either a manual check:
Or even create an array for those not wanting to rotate:
Leave a Reply