ms.assetid: title: Azure Key Vault managed storage account - CLI description: Storage account keys provide a seemless integration between Azure Key Vault and key based access to Azure Storage Account. ms.topic: conceptual services: key-vault ms.service: key-vault author: bryanla ms.author: bryanla manager: mbaldwin ms.date: 10/03/2018
Note
Azure storage now supports AAD authorization. We recommend using Azure Active Directory for authentication and authorization to Storage as users wouldn't have to worry about rotating their Storage Account keys.
- Azure Key Vault manages keys of an Azure Storage Account (ASA).
- Internally, Azure Key Vault can list (sync) keys with an Azure Storage Account.
- Azure Key Vault regenerates (rotates) the keys periodically.
- Key values are never returned in response to caller.
- Azure Key Vault manages keys of both Storage Accounts and Classic Storage Accounts.
- Azure CLI Install Azure CLI
- Create a Storage Account
- Follow the steps in this document to create a storage account
- Naming guidance: Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
In the below instructions, we are assigning Key Vault as a service to have operator permissions on your storage account
Note
Please note that once you've set up Azure Key Vault managed storage account keys they should NO longer be changed except via Key Vault. Managed Storage account keys means that Key Vault would manage rotating the storage account key
-
After creating a storage account run the following command to get the resource ID of the storage account, you want to manage
az storage account show -n storageaccountname (Copy ID field out of the result of this command) -
Get Application ID of Azure Key Vault's service principal
az ad sp show --id cfa8b339-82a2-471a-a3c9-0fc0be7a4093 -
Assign Storage Key Operator role to Azure Key Vault Identity
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id <ApplicationIdOfKeyVault> --scope <IdOfStorageAccount> -
Create a Key Vault Managed Storage Account.
Below, we are setting a regeneration period of 90 days. After 90 days, Key Vault will regenerate 'key1' and swap the active key from 'key2' to 'key1'.az keyvault storage add --vault-name <YourVaultName> -n <StorageAccountName> --active-key-name key2 --auto-regenerate-key --regeneration-period P90D --resource-id <Resource-id-of-storage-account>In case the user didn't create the storage account and does not have permissions to the storage account, the steps below set the permissions for your account to ensure that you can manage all the storage permissions in the Key Vault.
Note
In the case that the user does not have permissions to the storage account, we first get the Object-Id of the user
```
az ad user show --upn-or-object-id "[email protected]"
az keyvault set-policy --name <YourVaultName> --object-id <ObjectId> --storage-permissions backup delete list regeneratekey recover purge restore set setsas update
```
- Get-AzureKeyVaultManagedStorageAccount
- Add-AzureKeyVaultManagedStorageAccount
- Get-AzureKeyVaultManagedStorageSasDefinition
- Update-AzureKeyVaultManagedStorageAccountKey
- Remove-AzureKeyVaultManagedStorageAccount
- Remove-AzureKeyVaultManagedStorageSasDefinition
- Set-AzureKeyVaultManagedStorageSasDefinition