Generate Secondary Access Key For Blob In Azure
- Generate Secondary Access Key For Blob In Azure Windows
- Azure Blob Storage Access Control
- Generate Secondary Access Key For Blob In Azure Free
A connection string includes the authorization information required for your application to access data in an Azure Storage account at runtime using Shared Key authorization. You can configure connection strings to:
- Connect to the Azure storage emulator.
- Access a storage account in Azure.
- Access specified resources in Azure via a shared access signature (SAS).
Regenerate the primary access key for your storage account. On the Access Keys blade in the Azure portal, click Regenerate Key1, and then click Yes to confirm that you want to generate a new key. Update the connection strings in your code to reference the new primary access key. Regenerate the secondary access key in the same manner. If you're referring to a Windows Azure Storage account, the storage account name would be the dns prefix you created (e.g. Mystorage.blob.core.windows.net - the name would be mystorage). You then get two keys - primary and secondary. Specify either. Retrieve Azure Storage access keys in ARM template This template will create a Storage account, after which it will create a API connection by dynamically retrieving the primary key of the Storage account. The API connection is then used in a Logic App as a trigger polling for blob changes.
Protect your access keys
Your storage account access keys are similar to a root password for your storage account. Always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised.
If possible, use Azure Active Directory (Azure AD) to authorize requests to Blob and Queue storage instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key. For more information about authorizing access to data with Azure AD, see Authorize access to Azure blobs and queues using Azure Active Directory.
View and copy a connection string
To view and copy your storage account access keys or connection string from the Azure portal:
Navigate to the Azure portal.
Locate your storage account.
Under Settings, select Access keys. Your account access keys appear, as well as the complete connection string for each key.
Find the Key value under key1, and click the Copy button to copy the account key.
Alternately, you can copy the entire connection string. Find the Connection string value under key1, and click the Copy button to copy the connection string.
You can use either key to access Azure Storage, but in general it's a good practice to use the first key, and reserve the use of the second key for when you are rotating keys.
To view or read an account's access keys, the user must either be a Service Administrator, or must be assigned an RBAC role that includes the Microsoft.Storage/storageAccounts/listkeys/action. Some built-in RBAC roles that include this action are the Owner, Contributor, and Storage Account Key Operator Service Role roles. For more information about the Service Administrator role, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD roles. For detailed information about built-in roles for Azure Storage, see the Storage section in Azure built-in roles for Azure RBAC.
Store a connection string
Your application needs to access the connection string at runtime to authorize requests made to Azure Storage. You have several options for storing your connection string:
- You can store your connection string in an environment variable.
- An application running on the desktop or on a device can store the connection string in an app.config or web.config file. Add the connection string to the AppSettings section in these files.
- An application running in an Azure cloud service can store the connection string in the Azure service configuration schema (.cscfg) file. Add the connection string to the ConfigurationSettings section of the service configuration file.
Storing your connection string in a configuration file makes it easy to update the connection string to switch between the storage emulator and an Azure storage account in the cloud. You only need to edit the connection string to point to your target environment.
You can use the Microsoft Azure Configuration Manager to access your connection string at runtime regardless of where your application is running.
Configure a connection string for the storage emulator
The storage emulator supports a single fixed account and a well-known authentication key for Shared Key authentication. This account and key are the only Shared Key credentials permitted for use with the storage emulator. They are:
Note
The authentication key supported by the storage emulator is intended only for testing the functionality of your client authentication code. It does not serve any security purpose. You cannot use your production storage account and key with the storage emulator. You should not use the development account with production data.
The storage emulator supports connection via HTTP only. However, HTTPS is the recommended protocol for accessing resources in a production Azure storage account.
Connect to the emulator account using a shortcut
The easiest way to connect to the storage emulator from your application is to configure a connection string in your application's configuration file that references the shortcut UseDevelopmentStorage=true. Here's an example of a connection string to the storage emulator in an app.config file:
Connect to the emulator account using the well-known account name and key
To create a connection string that references the emulator account name and key, you must specify the endpoints for each of the services you wish to use from the emulator in the connection string. This is necessary so that the connection string will reference the emulator endpoints, which are different than those for a production storage account. For example, the value of your connection string will look like this:
This value is identical to the shortcut shown above, UseDevelopmentStorage=true.
Specify an HTTP proxy
You can also specify an HTTP proxy to use when you're testing your service against the storage emulator. This can be useful for observing HTTP requests and responses while you're debugging operations against the storage services. To specify a proxy, add the DevelopmentStorageProxyUri option to the connection string, and set its value to the proxy URI. For example, here is a connection string that points to the storage emulator and configures an HTTP proxy:
For more information about the storage emulator, see Use the Azure storage emulator for development and testing.
Configure a connection string for an Azure storage account
To create a connection string for your Azure storage account, use the following format. Indicate whether you want to connect to the storage account through HTTPS (recommended) or HTTP, replace myAccountName with the name of your storage account, and replace myAccountKey with your account access key:
DefaultEndpointsProtocol=[http https];AccountName=myAccountName;AccountKey=myAccountKey
For example, your connection string might look similar to:
DefaultEndpointsProtocol=https;AccountName=storagesample;AccountKey=<account-key>
Although Azure Storage supports both HTTP and HTTPS in a connection string, HTTPS is highly recommended.
Tip
You can find your storage account's connection strings in the Azure portal. Navigate to SETTINGS > Access keys in your storage account's menu blade to see connection strings for both primary and secondary access keys.
Create a connection string using a shared access signature
If you possess a shared access signature (SAS) URL that grants you access to resources in a storage account, you can use the SAS in a connection string. Because the SAS contains the information required to authenticate the request, a connection string with a SAS provides the protocol, the service endpoint, and the necessary credentials to access the resource.
To create a connection string that includes a shared access signature, specify the string in the following format:
Each service endpoint is optional, although the connection string must contain at least one.
Note
Using HTTPS with a SAS is recommended as a best practice.
If you are specifying a SAS in a connection string in a configuration file, you may need to encode special characters in the URL.
Service SAS example
Here's an example of a connection string that includes a service SAS for Blob storage:
And here's an example of the same connection string with encoding of special characters:
Account SAS example
Here's an example of a connection string that includes an account SAS for Blob and File storage. Note that endpoints for both services are specified:
And here's an example of the same connection string with URL encoding:
Create a connection string for an explicit storage endpoint
You can specify explicit service endpoints in your connection string instead of using the default endpoints. To create a connection string that specifies an explicit endpoint, specify the complete service endpoint for each service, including the protocol specification (HTTPS (recommended) or HTTP), in the following format:
One scenario where you might wish to specify an explicit endpoint is when you've mapped your Blob storage endpoint to a custom domain. In that case, you can specify your custom endpoint for Blob storage in your connection string. You can optionally specify the default endpoints for the other services if your application uses them.
Here is an example of a connection string that specifies an explicit endpoint for the Blob service:
This example specifies explicit endpoints for all services, including a custom domain for the Blob service:
The endpoint values in a connection string are used to construct the request URIs to the storage services, and dictate the form of any URIs that are returned to your code.
If you've mapped a storage endpoint to a custom domain and omit that endpoint from a connection string, then you will not be able to use that connection string to access data in that service from your code.
Important
Service endpoint values in your connection strings must be well-formed URIs, including https:// (recommended) or http://. Because Azure Storage does not yet support HTTPS for custom domains, you must specify http:// for any endpoint URI that points to a custom domain.
Create a connection string with an endpoint suffix
To create a connection string for a storage service in regions or instances with different endpoint suffixes, such as for Azure China 21Vianet or Azure Government, use the following connection string format. Indicate whether you want to connect to the storage account through HTTPS (recommended) or HTTP, replace myAccountName with the name of your storage account, replace myAccountKey with your account access key, and replace mySuffix with the URI suffix:
Here's an example connection string for storage services in Azure China 21Vianet:
Parsing a connection string
The Microsoft Azure Configuration Manager Library for .NET provides a class for parsing a connection string from a configuration file. The CloudConfigurationManager class parses configuration settings. It parses settings for client applications that run on the desktop, on a mobile device, in an Azure virtual machine, or in an Azure cloud service.
To reference the CloudConfigurationManager package, add the following using directives:
Here's an example that shows how to retrieve a connection string from a configuration file:
Generator Ignition Switches Keys: Jack’s is your place! We have the Generator Ignition Switches Keys you need, with fast shipping and great prices. We have the Generator Ignition Switches Keys you need, with fast shipping and great prices. Key starter for a generator. Wireless Remote Start Glow Plug for Portable Diesel Generator 178FE 186FE 186FAE. The applied decoding dual-CPU has high receiving sensitivity and stability, and is inert to the interference of electromagnetic field of generator. Yellow/Green Wire (8-wire remote only, for wireless glow plug): To light blue wire of ignition key switch (6-wire ignition key switch only). 1-16 of 359 results for 'key start generator' Skip to main search results Amazon Prime. Eligible for Free Shipping. Portable Generator with Electric Start - 4400 Peak Watts & 3600 Rated Watts - CARB Compliant. 4.3 out of 5 stars 45. $385.00 $ 385. Get it as soon as Thu, Aug 29. Mar 13, 2014 Ignition key for Honda Generator, Part Number 880-013 by TORNADO HEAVY EQUIPMENT PARTS. Page 1 Number: 2010004 Starting Generator Without Keys (338cc Engines or Larger) Issue Date: 1) Standing on the panel side (outlet side) of the generator, locate the group of wires directly under the Ignition switch. You will see Black, Yellow, Green and Brown wires.
Using the Azure Configuration Manager is optional. You can also use an API such as the .NET Framework's ConfigurationManager Class.
Next steps
| title | titleSuffix | description | services | author | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|
Azure Storage | Learn how to view, manage, and rotate your storage account access keys. | tamram | how-to | tamram |
When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorize access to data in your storage account via Shared Key authorization.
Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. Using Azure Key Vault makes it easy to rotate your keys without interruption to your applications. You can also manually rotate your keys.
[!INCLUDE storage-account-key-note-include]
View access keys and connection string
[!INCLUDE storage-view-keys-include]
Use Azure Key Vault to manage your access keys
Microsoft recommends using Azure Key Vault to manage and rotate your access keys. Your application can securely access your keys in Key Vault, so that you can avoid storing them with your application code. For more information about using Key Vault for key management, see the following articles:
Generate Secondary Access Key For Blob In Azure Windows
Manually rotate access keys
Microsoft recommends that you rotate your access keys periodically to help keep your storage account secure. If possible, use Azure Key Vault to manage your access keys. If you are not using Key Vault, you will need to rotate your keys manually.
Two access keys are assigned so that you can rotate your keys. Having two keys ensures that your application maintains access to Azure Storage throughout the process.
[!WARNING]Regenerating your access keys can affect any applications or Azure services that are dependent on the storage account key. Any clients that use the account key to access the storage account must be updated to use the new key, including media services, cloud, desktop and mobile applications, and graphical user interface applications for Azure Storage, such as Azure Storage Explorer.
Follow this process to rotate your storage account keys:
- Update the connection strings in your application code to use the secondary key.
- Regenerate the primary access key for your storage account. On the Access Keys blade in the Azure portal, click Regenerate Key1, and then click Yes to confirm that you want to generate a new key.
- Update the connection strings in your code to reference the new primary access key.
- Regenerate the secondary access key in the same manner.
[!NOTE]Microsoft recommends using only one of the keys in all of your applications at the same time. If you use Key 1 in some places and Key 2 in others, you will not be able to rotate your keys without some application losing access.
Azure Blob Storage Access Control
To rotate an account's access keys, the user must either be a Service Administrator, or must be assigned an RBAC role that includes the Microsoft.Storage/storageAccounts/regeneratekey/action. Some built-in RBAC roles that include this action are the Owner, Contributor, and Storage Account Key Operator Service Role roles. For more information about the Service Administrator role, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD roles. For detailed information about built-in RBAC roles for Azure Storage, see the Storage section in Azure built-in roles for Azure RBAC.