How does the Key Vault secret get associated to a storage account key

[Gary-Peluso]

I wonder if there is something missing in this documentation. It clearly shows how to associate a key vault to a storage account key so that the key can be automatically regenerated. But the regenerated key doesn't appear anywhere within keyvault.

I don't see how it associates the key value to a secret in keyvault.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 8b568009-2a35-c627-cfa0-ff5cbfde027e
• Version Independent ID: 07fc2d02-be89-1170-3b37-9e65808d5d89
• Content: Manage storage account keys with Azure Key Vault and the Azure CLI
• Content Source: articles/key-vault/secrets/overview-storage-keys.md
• Service: key-vault
• Sub-service: secrets
• GitHub Login: @msmbaldwin
• Microsoft Alias: mbaldwin

[JamesTran-MSFT]

@Gary-Peluso Thanks for your feedback! We will investigate and update as appropriate.

[JamesTran-MSFT]

@Gary-Peluso I was able to walk-through the documentation and will post my findings below. Please click the hyperlinked words for more detail.

Findings: When walking through the documentation to "Manage storage account keys with Key Vault and the Azure CLI". I found that once you run the "az keyvault storage add" command you're simply setting up the key vault to manage/regenerate/rotate your storage account Access Keys. The equivalent PowerShell command of "az keyvault storage add" can be found here along with a more detailed explanation.

• These access keys aren't stored within the Azure Key vault, however, you can find them on the Storage account, under the Access Keys tab.
• Additionally, the paragraph "Create a Key Vault Managed storage account", mentions regeneration and swapping the active key from key 2 to key 1, back to 2, etc. But there was nothing about storing access keys as secrets in the Key vault.

Walking through the documentation further, I generated a SAS token, which I named and was able to see the "secret" within the Azure Key Vault using the "az keyvault secret show" command. Using this command you can see the Storage Account SAS token in the Azure Key Vault, however, you can ONLY see the Secret using this command and not from within the Azure Portal.

Additional Links: Manage storage account keys with Key vault and Azure PowerShell Fetching SAS Tokens in code

Please let me know if you have any other questions. Thank you for your time and patience.

[Gary-Peluso]

Thank you for the fast response and it looks like that answers my question! It was not obvious from reading the documentation that the SAS token was part of how an application can get the regenerated access key.

Perhaps a segway at the end of the first section should say something like: "If your application needs to read the newly generated access key then a SAS token needs to be configured as described in the next section." Something like that.

I've been researching this answer on the internet and there are several solutions using custom scripts to regenerate keys and push them into a secret. I'm not the only one confused about how this all works.

Thank you again for your help!

[JamesTran-MSFT]

@Gary-Peluso Thank you for the quick response, I'm glad I was able to help you better understand the documentation!

I'll go ahead and assign this issue to the author for the requested doc update.

[jlichwa]

Hello @Gary-Peluso, We mentioned that in second sentence: "Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account."

It is basically regenerates key and provides you sas token for access based on definition. Storage account keys are never stored in Key Vault. SAS tokens are used instead to provide access and they are used to access Storage example shown here https://docs.microsoft.com/en-us/azure/key-vault/secrets/storage-keys-sas-tokens-code

[jlichwa]

please-close