I'm finding the documentation on the Azure storage REST services a bit confusing.
How do I authenticate and consume an endpoint from Azure storage services over cURL?
I have:
the url
primary key
secondary key
I just don't know what to do with them to make a proper request.
You can refer to this documentation: Authentication for the Azure Storage Services, both primary key and secondary key can be used for authentication, you can choose any of them.
Related
Like most Azure Functions in the beginning we have a connection string to the associated storageaccount that includes the Accountkey like this
DefaultEndpointsProtocol=https;AccountName=ourstorageAccount;EndpointSuffix=core.windows.net;AccountKey=WQfbn+VBhaY1fi/l0eRBzvAvngiCiOwPmx/==
We obviously want to remove that AccountKey. I had hoped we could use ManagedIdentity and the 'Contributor' Role but what I am reading is telling me you cannot use Managed Identity to access Tables in a Storage Account only Blobs.
I know that we could move the whole connection string to KeyVault but that just becomes ann Azure Management Issue if we want to rotate the keys.
Has anyone succesfully controlled access to Azure Table Storage with Managed Identities?
If not what is the next best approach that preferably allows for simple rotation of keys?
Has anyone successfully controlled access to Azure Table Storage with Managed Identities?
Definitely it is unable to access azure table storage with MSI(managed identity, essentially it is a service principal in azure ad), when using MSI to access some azure resources, it essentially uses the azure ad client credential flow to get the token, then uses the token to access the resource.
However, azure ad auth just supported by azure blob and queue storage, table storage doesn't support it currently, see - Authorize access to blobs and queues using Azure Active Directory.
If not what is the next best approach that preferably allows for simple rotation of keys?
You could use azure function to do that, follow this doc - Automate the rotation of a secret for resources with two sets of authentication credentials, I think it completely meets your requirement, this tutorial rotates Azure Storage account keys stored in Azure Key Vault as secrets using a function triggered by Azure Event Grid notification.
I am planning to write an Azure Function that will communicate to DocuSign through DocuSign API.
I am using JWT for authentication and what I am worried about is storing the Access Token.
The access token expires in 1 hour. As the Azure function is stateless, I have to put the access token somewhere to reuse it.
My question is about securely storing this token in Azure.
I think the below services from Azure can serve me
KeyVault
Memchaed
Azure Caching
Azure SQL
Which will be best? I do not want an expensive service to serve this purpose.
I think if you want to store the token, you can use KeyVault to realize your ideas. The communication between the resources in KeyVault and Azure is based on the Azure backbone network, so as long as Azure is safe, then KeyVault is safe. And, KeyVault was originally designed to acheive your current requirement.
I think you should use redis ( or maybe DB for your case is easier/better )
Azure has redis, you can simply use that.
And why not Azure Key Vault ?
Look at docs:
Docs
Secrets, managed storage account keys, and vault transactions:
Transactions type Maximum transactions allowed in 10 seconds, per vault per region1
All transactions 4,000
its because of transactions limits. You should not hit Azure KV so often.
Also interesting quote:
Cache secrets in your application for at least eight hours.
About redis, you can read it here: DocsRedis
The app uses a Redis cache as the backing store
tutorial
Is there a way to get properties of a storage account, specifically the kind of account - GPv1, GPv2 or blob storage, through an API in Storage Services?
I came across https://msdn.microsoft.com/en-us/library/azure/ee460802.aspx but if possible, I would like to re-use the SharedKey authentication I use for the Blob Service APIs.
In this page, https://learn.microsoft.com/en-us/rest/api/storageservices/ I found this:
"All access to storage services takes place through the storage account. The storage account is the highest level of the namespace for accessing each of the fundamental services. It is also the basis for authentication.+
The REST APIs for storage services expose the storage account as a resource."
How would I get properties of that resource? I played around with setting the restype to storage account, similar to "container" and "table", but could not access it.
When it comes to managing storage accounts, there are two REST APIs:
Storage Service REST API: This API is used to manage the data in the storage accounts. This makes use of account name and access key (also known as storage account key). You can find more details about this API here: https://learn.microsoft.com/en-us/rest/api/storageservices/.
Storage Resource Provider (SRP) REST API: This API is used to manage storage accounts. You can use this API to create, update, delete storage accounts, regenerate account keys and get information about the storage account themselves. This makes use of Azure AD for authentication and authorization. You can find more details about this API here: https://learn.microsoft.com/en-us/rest/api/storagerp/.
Now coming to your question, you can't really use Storage Service REST API to find information about the type of storage account. You would need to use Storage Resource Provider API to find this information. In particular you will be consuming Get Properties SRP API to find this information.
Need to store some content in Azure Blob Storage, and want to encrypt prior to storing it on Azure Blob (we don't want to rely on Azure storage encryption on-rest). The issue is we do not want to store our encryption keys on Azure (e.g. Key vault), and store it outside of Azure. Any suggestion on strategies for achieving this?
The issue is we do not want to store our encryption keys on Azure (e.g. Key vault), and store it outside of Azure.
Azure Storage Service Encryption doesn’t allow us to use our own encryption keys until now. To use your own encryption keys and store it outside of Azure, you need to create a proxy for your storage service.
For example, you could create a Web API to handle all the blob read/write requests. In your Web API, you could use your own encryption keys to encrypt or decrypt data and then write or read the data to Azure Blob Storage.
The limit of this way is that we can’t use the Azure Storage Client library or other tools to access the storage proxy (Web API) since it is written by yourself.
Any suggestion of on-premise secret options we can use, which are accessible to components on Azure.
I suggest you store the key on your local side and create a internal API which could return this key. To access this internal API from azure components, you could use hybrid connections.
Access on-premises resources using hybrid connections in Azure App Service
I want to create a key in my mobile app backend that contains my storage account primary key like this tutorial instructs, but I can't figure out where in the Azure Portal I should create the key. I can't find the Connection Strings blade that the tutorial refers to. Am I missing something, or should I use the storage account primary key somewhere else?
You can retrieve the key from portal, instead of creating it yourself.
The Azure storage connection string is like this,
Standard
DefaultEndpointsProtocol=http;AccountName=myAccount;AccountKey=myKey;
Secure
DefaultEndpointsProtocol=https;AccountName=myAccount;AccountKey=myKey;
Update:
This should be what you are looking for,