locked
Signing key under Shared Access Signature RRS feed

Answers

  • These storage access keys are used in authentication for accessing the storage account.

     When you create a storage account you are provided with two storage access keys i.e. Primary and Secondary access keys. You might be wondering, what is the purpose of providing a second access key. As far as my knowledge you can use the storage access keys for two scenarios discussed below.

    For avoiding downtime

    You might want to change the access keys on regular basis as per your corporate security policy. However, when you change the access the keys, your cloud services using the storage account will no longer be able to access the storage account. This will lead to a downtime. The cloud services will be able to access the storage account only after you update the new storage access keys in your configuration file. Hence to avoid this, update the configuration file with the secondary access keys and only then regenerate the primary access key. Once the new primary access key is regenerated you can now use this key to update the configuration file once again.

     For temporary sharing of access keys

    You might on some occasion want to share your storage access keys with your colleagues instead of sharing the primary access key (which is used in your cloud services), share the secondary key. When you want to revoke the access from that individual, regenerate the secondary key. Once the secondary key is regenerated the old secondary key will no longer be valid. 

    This is bit old blog but it provides complete information: https://blogs.msdn.microsoft.com/jennifer/2010/03/02/why-do-you-need-a-primary-and-a-secondary-access-key-for-windows-azure-storage/ 

    For here for additional information.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Friday, November 1, 2019 9:38 AM
  • Hi,

    But why we can not do this. If it is hacked by someone. We reset the key1 then update it to application code. Why it is neccessory to update application code with key2 then reset key1?

    Answer is - To prevent downtime. 

    If key1 is being used in 10 places, you regenerate it and update at 10 places. This might take a few minutes but still during this time the services might not be accessible as old key1 is invalid. So, we use key2.


    Regards,
    Vaibhav

    • Marked as answer by chapter 7 Friday, November 1, 2019 12:46 PM
    Friday, November 1, 2019 12:27 PM

All replies

  • Consider you have generated the new access key as the current key is compromised.
    Now all existing SAS storage connections should be updated with the new key. 

    The above feature is just helping the administrator to generate a new SAS Token with the updated key.

    If key1 is updated, you can generate a new SAS token after setting the "Signing Key" to Key1. Similarly Key2.


    Friday, November 1, 2019 7:51 AM
  • SAS is generated using the shared key. That lets you pick which key to use to create the SAS URL

    For more information:

    SAS is a claim-based authorization mechanism using simple tokens. Using SAS, keys are never passed on the wire. Keys are used to cryptographically sign information that can later be verified by the service. SAS can be used similar to a username and password scheme where the client is in immediate possession of an authorization rule name and a matching key. SAS can be used similar to a federated security model, where the client receives a time-limited and signed access token from a security token service without ever coming into possession of the signing key.

    Any client that has access to name of an authorization rule name and one of its signing keys can generate a SAS token. The token is generated by crafting a string in the following format:

    se – Token expiry instant. Integer reflecting seconds since epoch 00:00:00 UTC on 1 January 1970 (UNIX epoch) when the token expires

    skn – Name of the authorization rule, that is the SAS key name.

    sr – URI of the resource being accessed.

    sig – Signature.

    The token contains the non-hashed values so that the recipient can recompute the hash with the same parameters, verifying that the issuer is in possession of a valid signing key.

    Hope this helps! 

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Friday, November 1, 2019 8:10 AM
  • Hi,

    Why there are two keys. key1 and key2. If we have set key1 then why we need to set key2. What will the fuction of key2.

    Regards

    Friday, November 1, 2019 9:21 AM
  • Hi,

    Why there are two keys. key1 and key2. If we have set key1 then why we need to set key2. What will the fuction of key2.

    Key2 is useful when you re-generate the key1.

    Example:

    The application code is using key1 and this key1 is hacked by someone and we need to reset it. 

    In this case, we can update the app code to use key2 and then reset key1. 


    Regards,
    Vaibhav

    Friday, November 1, 2019 9:30 AM
  • These storage access keys are used in authentication for accessing the storage account.

     When you create a storage account you are provided with two storage access keys i.e. Primary and Secondary access keys. You might be wondering, what is the purpose of providing a second access key. As far as my knowledge you can use the storage access keys for two scenarios discussed below.

    For avoiding downtime

    You might want to change the access keys on regular basis as per your corporate security policy. However, when you change the access the keys, your cloud services using the storage account will no longer be able to access the storage account. This will lead to a downtime. The cloud services will be able to access the storage account only after you update the new storage access keys in your configuration file. Hence to avoid this, update the configuration file with the secondary access keys and only then regenerate the primary access key. Once the new primary access key is regenerated you can now use this key to update the configuration file once again.

     For temporary sharing of access keys

    You might on some occasion want to share your storage access keys with your colleagues instead of sharing the primary access key (which is used in your cloud services), share the secondary key. When you want to revoke the access from that individual, regenerate the secondary key. Once the secondary key is regenerated the old secondary key will no longer be valid. 

    This is bit old blog but it provides complete information: https://blogs.msdn.microsoft.com/jennifer/2010/03/02/why-do-you-need-a-primary-and-a-secondary-access-key-for-windows-azure-storage/ 

    For here for additional information.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Friday, November 1, 2019 9:38 AM
  • Hi,

    But why we can not do this. If it is hacked by someone. We reset the key1 then update it to application code. Why it is neccessory to update application code with key2 then reset key1?

    Regards

    Friday, November 1, 2019 12:15 PM
  • Hi,

    But why we can not do this. If it is hacked by someone. We reset the key1 then update it to application code. Why it is neccessory to update application code with key2 then reset key1?

    Answer is - To prevent downtime. 

    If key1 is being used in 10 places, you regenerate it and update at 10 places. This might take a few minutes but still during this time the services might not be accessible as old key1 is invalid. So, we use key2.


    Regards,
    Vaibhav

    • Marked as answer by chapter 7 Friday, November 1, 2019 12:46 PM
    Friday, November 1, 2019 12:27 PM