Azure Storage Connection String primary key in Azure Mobile Backend - azure

I want to create a key in my mobile app backend that contains my storage account primary key like this tutorial instructs, but I can't figure out where in the Azure Portal I should create the key. I can't find the Connection Strings blade that the tutorial refers to. Am I missing something, or should I use the storage account primary key somewhere else?

You can retrieve the key from portal, instead of creating it yourself.
The Azure storage connection string is like this,
Standard
DefaultEndpointsProtocol=http;AccountName=myAccount;AccountKey=myKey;
Secure
DefaultEndpointsProtocol=https;AccountName=myAccount;AccountKey=myKey;
Update:
This should be what you are looking for,

Related

Removing Secrets from Azure Function Config

Like most Azure Functions in the beginning we have a connection string to the associated storageaccount that includes the Accountkey like this
DefaultEndpointsProtocol=https;AccountName=ourstorageAccount;EndpointSuffix=core.windows.net;AccountKey=WQfbn+VBhaY1fi/l0eRBzvAvngiCiOwPmx/==
We obviously want to remove that AccountKey. I had hoped we could use ManagedIdentity and the 'Contributor' Role but what I am reading is telling me you cannot use Managed Identity to access Tables in a Storage Account only Blobs.
I know that we could move the whole connection string to KeyVault but that just becomes ann Azure Management Issue if we want to rotate the keys.
Has anyone succesfully controlled access to Azure Table Storage with Managed Identities?
If not what is the next best approach that preferably allows for simple rotation of keys?
Has anyone successfully controlled access to Azure Table Storage with Managed Identities?
Definitely it is unable to access azure table storage with MSI(managed identity, essentially it is a service principal in azure ad), when using MSI to access some azure resources, it essentially uses the azure ad client credential flow to get the token, then uses the token to access the resource.
However, azure ad auth just supported by azure blob and queue storage, table storage doesn't support it currently, see - Authorize access to blobs and queues using Azure Active Directory.
If not what is the next best approach that preferably allows for simple rotation of keys?
You could use azure function to do that, follow this doc - Automate the rotation of a secret for resources with two sets of authentication credentials, I think it completely meets your requirement, this tutorial rotates Azure Storage account keys stored in Azure Key Vault as secrets using a function triggered by Azure Event Grid notification.

Strategies to encrypt on Azure without using KeyVault

Need to store some content in Azure Blob Storage, and want to encrypt prior to storing it on Azure Blob (we don't want to rely on Azure storage encryption on-rest). The issue is we do not want to store our encryption keys on Azure (e.g. Key vault), and store it outside of Azure. Any suggestion on strategies for achieving this?
The issue is we do not want to store our encryption keys on Azure (e.g. Key vault), and store it outside of Azure.
Azure Storage Service Encryption doesn’t allow us to use our own encryption keys until now. To use your own encryption keys and store it outside of Azure, you need to create a proxy for your storage service.
For example, you could create a Web API to handle all the blob read/write requests. In your Web API, you could use your own encryption keys to encrypt or decrypt data and then write or read the data to Azure Blob Storage.
The limit of this way is that we can’t use the Azure Storage Client library or other tools to access the storage proxy (Web API) since it is written by yourself.
Any suggestion of on-premise secret options we can use, which are accessible to components on Azure.
I suggest you store the key on your local side and create a internal API which could return this key. To access this internal API from azure components, you could use hybrid connections.
Access on-premises resources using hybrid connections in Azure App Service

authentication for cURL request to Azure storage

I'm finding the documentation on the Azure storage REST services a bit confusing.
How do I authenticate and consume an endpoint from Azure storage services over cURL?
I have:
the url
primary key
secondary key
I just don't know what to do with them to make a proper request.
You can refer to this documentation: Authentication for the Azure Storage Services, both primary key and secondary key can be used for authentication, you can choose any of them.

Where do I get the AzureWebJobsDashboard connection string information?

Trying to update my Service Bus apps to use the new RTM and I need this information.
<add name="AzureWebJobsDashboard" connectionString="DefaultEndpointsProtocol=https;AccountName=;AccountKey=" />
<add name="AzureWebJobsStorage" connectionString="DefaultEndpointsProtocol=https;AccountName=;AccountKey=" />
Previously I just used the connection string associated with each queue. I have tried about every combination of username and key I have associated with my account with no luck.
The AzureWebJobsDashboard connection string is your Azure Storage Account used by the Azure SDK to store logs used by the WebJobs dashboard.
The AzureWebJobsStorage connection string is your Azure Storage Account that is used to by the SDK to do things like trigger when a file is uploaded to blob storage or a message is added to a queue. It sounds like you may not need this though if you are only using Service Bus Queues. If this is the case for you, then you could use the same connection string that you use for the AzureWebJobsDashboard. Generally, you would use two different storage accounts so that one is used for dashboard logging and the other is used for application functionality (queues, tables, blobs).
The connection string is available in the Azure Management Portal (classic) by click on Storage in the left navigation, highlight the storage account you want to use, and then click the Manage Access Keys button at the bottom of the page.
The connectionString for AzureWebJobsDashboard and AzureWebJobsStorage are obtained from Azure Storage account.So follow the steps below to view the storage access keys.
1. Sign in to the Azure portal. https://portal.azure.com
2. In the navigation pane, click on Storage accounts.
3. Choose the desired storage account,click on Access keys and copy the Connection string.
The previous answers are correct, but I add this answer to give some clarity about the AzureWebJobsStorage key for someone learning Azure.
When creating a function app, a storage account is also setup. And inside the Function App, a application setting named AzureWebJobsStorage is created.
The connection string can be seen when checking Configuration under Function App. This reveals the name of the name of storage account and the access key.
Under Access keys in the Storage Account the connection string can be confirmed to be the same.

Shared Keys for Azure APIs

I have registered a Free-Trial account on Azure site.
In documentation I found:
http://msdn.microsoft.com/en-us/library/windowsazure/dd179428.aspx
that I need some Shared Keys to use APIs.
But where are they located on Azure Management Portal?
I could not find them at all.
Do I need a paid account for this?
If you open the Azure portal, click on the "Hosted Servcies, Storage Accounts & CDN" link on the lower left and then pick "Storage Accounts". Once you click on "New Storage Account" and create a storage account, you will see "Primary access key" and "Seconardy access key" on the right hand side if you select that storage account in the middle.
More info:
Creating a storage account: http://msdn.microsoft.com/en-us/library/windowsazure/gg433066.aspx
Viewing keys: http://msdn.microsoft.com/en-us/library/windowsazure/hh531566.aspx
Note, if you are meaning Shared Access Signatures for blob storage, look at: http://blog.smarx.com/posts/new-storage-feature-signed-access-signatures
Each storage account you create will have a primary and secondary key, which is ultimately used in the REST header for accessing tables, blobs, and queues. If you're using .NET, Java, PHP or any other language where you've found a library wrapping the REST API, you won't have to worry about constructing REST headers; instead, you'll just create a storage endpoint using your primary or secondary key.
Making this easier, the key can be stored in your configuration settings. Then, if you ever change your storage account (maybe one for development, one for production), it's a simple matter of changing your configuration settings instead of changing code.
FYI - these keys are created automatically when you create a new storage account. And... you may use either key, and invalidate / re-create either key at any time (which is great if, say, you share your secondary key with a 3rd-party service and then want to terminate your relationship with that service).
I'd suggest grabbing the Windows Azure Training Kit and trying out a few of the first exercises, as you'll see exactly how to reference a storage account this way.

Resources