20 May Securing Azure Storage Accounts using PowerShell: Keys, SAS Tokens and RBAC

Introduction to Azure Storage Accounts

An Azure Storage Account is an essential resource that is required in order to store data objects in the cloud provided by Azure. It grants you access to your data objects and stores them in a distinct namespace, regardless of whether the objects are blobs, files, queues, tables or disks.

Multiple methods may be used to protect the data stored in an Azure Storage Account, ensuring that it is always kept secure and that only authorized users are able to access it. It is essential to have a solid understanding of these security features in order to protect the confidentiality of the data that is kept in your Azure environment.

Azure Storage Account Security

The storage access keys, Shared Access Signature (SAS) tokens and Azure Role-Based Access Control (RBAC) are the essential components that contribute to the security of an Azure Storage Account.

Storage Access Keys

Each storage account comes with two different access keys that may be used to verify the user’s identity before granting permission to view the data. They should be treated in the same manner as a root password for your storage account and kept a secret at all times.

Shared Access Signature (SAS) Tokens

Shared Access Signatures, often known as SAS, are uniform resource identifiers that are used to offer limited access privileges to Azure Storage resources. You are able to provide a customer access to a resource for a certain time period by providing them a Shared Access Signature (SAS), but you are prohibited from handing them your account access keys.

Azure RBAC

An authorization system known as Azure RBAC, which is based on Azure Resource Manager and offers fine-grained access control to Azure resources such as storage accounts, is known as Azure RBAC.

Managing Azure Storage Account Security using PowerShell

Azure PowerShell provides cmdlets for managing the security aspects of an Azure Storage Account.

Storage Account Keys

The Get-AzStorageAccountKey cmdlet can be used to list the access keys for a storage account:

Get-AzStorageAccountKey -ResourceGroupName "resourcegroup" -Name "storageaccount"

SAS Tokens

You can generate a SAS token using the New-AzStorageAccountSASToken cmdlet:

$ctx = New-AzStorageContext -StorageAccountName "storageaccount" -StorageAccountKey "<storage account key>"
New-AzStorageAccountSASToken -Service Blob -ResourceType Service,Container,Object -Permission "rwdl" -Context $ctx

Managing Azure RBAC

We have already discussed how to manage Azure RBAC using PowerShell in the previous sections of this blog. The same commands can be used to assign, remove and list role assignments for a storage account.

Demo: Real Use Case Scenario

A global enterprise, Garson IT Ltd. is comprised of several teams located in a variety of countries and working on a variety of projects. For the majority of their data storage requirements, they heavily rely on Azure Storage Accounts.

It is necessary for Garsonto provide varying degrees of access to the many teams that make up the organization. Some teams need full access to their storage accounts, while other teams need simply read access to their accounts.

In addition to this, they work with third-party partners that need access to certain resources for a limited time. Garson is in need of a solution that would not only ensure the safety of their storage accounts but also provide them with the ability to manage access on such a granular level.

They come to the conclusion that the best way to fulfill these needs is to make use of a mix of Azure Storage Account keys, Shared Access Signature (SAS) tokens and Azure RBAC, all of which are handled using PowerShell.

The following is an example of a PowerShell script that Northwind Traders may use to tackle this complicated scenario:

# Define teams and roles
$teams = @{
    "AdminTeam" = "Contributor";
    "AuditTeam" = "Reader";
    "ProjectATeam" = "Storage Blob Data Contributor";
}

# Define the external partners and their access rights
$partners = @{
    "PartnerA" = @{
        "Service" = "Blob";
        "ResourceType" = "Object";
        "Permission" = "rl";
        "ExpiryTime" = (Get-Date).AddDays(7);
    };
}

# Loop through each team and assign the roles
foreach ($team in $teams.GetEnumerator()) {
    $roleAssignment = New-AzRoleAssignment -SignInName "$($team.Key)@garsonit.com" -RoleDefinitionName $team.Value -Scope "/subscriptions/<SubscriptionId>/resourceGroups/GarsonResourceGroup/providers/Microsoft.Storage/storageAccounts/garsonstorage"
    Write-Output "Assigned $($team.Value) role to $($team.Key)"
}

# Loop through each partner and generate SAS tokens
foreach ($partner in $partners.GetEnumerator()) {
    $storageContext = New-AzStorageContext -StorageAccountName "garsonstorage" -StorageAccountKey "<storage account key>"
    $sasToken = New-AzStorageAccountSASToken @partner.Value -Context $storageContext
    Write-Output "Generated SAS token for $($partner.Key): $sasToken"
}

# Regularly rotate storage account keys
$keys = Get-AzStorageAccountKey -ResourceGroupName "GarsonResourceGroup" -Name "garsonstorage"
New-AzStorageAccountKey -ResourceGroupName "GarsonResourceGroup" -Name "garsonstorage" -KeyName "key1"
Write-Output "Rotated key1 for GarsonStorage"

Within this script, (1st line) they outline the responsibilities that should be filled by each of their teams as well as the (9) access privileges that should be granted to each of their partners. (19) After that, they go around to each team and give each team the responsibility that was outlined before. (25) In addition to this, they iterate over each partner, creating an SAS token that contains the access privileges that are specified for each partner. (32) Finally, in order to assure the safety of their belongings, they routinely change the keys to their storage accounts. This script would be executed as a scheduled process, therefore automatically controlling access to their storage accounts and guaranteeing the security of those accounts.