Managing access keys in Azure Key Vault
It is important to protect the storage account access keys because they provide full access to the storage account. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services, such as authentication keys, storage account keys, data encryption keys, and certificate private keys.
Keys in Azure Key Vault can be protected in software or by using hardware security modules (HSMs). HSM keys can be generated in place or imported. Importing keys is often referred to as bring your own key, or BYOK.
Accessing and unencrypting the stored keys is typically done by a developer, although keys from Key Vault can also be accessed from ARM templates during deployment.
Configure identity-based access
Microsoft Entra ID authentication is beneficial for customers who want to control data access at an enterprise level based on their security and compliance standards. Entra ID authentication provides identity-based access to Azure storage in addition to existing shared-key and SAS token authorization mechanisms for Azure Storage (Blob and Queue). Azure blobs, files, and queues are supported by Entra ID authentication.
Entra ID authentication enables customers to leverage RBAC in Azure for granting the required permissions to a security principal (users, groups, and applications) down to the scope of an individual blob container or queue. While authenticating a request, Entra ID returns an OAuth 2.0 token to security principal, which can be used for authorization against Azure Storage.
Entra ID authorization can be implemented in many ways, such as assigning RBAC roles to a security principal (users, groups, and applications), using a managed identity, or creating shared access signatures signed by Entra ID credentials.
If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a managed identity to access a storage account.
RBAC roles for blobs and queues
There are several built-in RBAC roles available in Azure for authorizing access to Blob and Queue Storage:
- Storage Blob Data Owner Sets ownership and manages POSIX access control for Azure Data Lake Storage Gen2
- Storage Blob Data Contributor Grants read/write/delete permissions for Blob Storage
- Storage Blob Data Reader Grants read-only permissions for Blob Storage
- Storage Queue Data Contributor Grants read/write/delete permissions for Queue Storage
- Storage Queue Data Reader Grants read-only permissions for Queue Storage
- Storage Queue Data Message Processor Grants peek, retrieve, and delete permissions to messages in queues
- Storage Queue Data Message Sender Grants add permissions to messages in queues
- Storage Table Data Contributor Allows read, write, and delete access to tables and entities
- Storage Table Data Reader Provides read-only access to tables and entities
