Skip to content
Pass Microsoft, Cisco, Sap and Salesforce Exams
Menu
  • Home
  • Exams
  • Certifications
  • Cloud Computing
  • Cyber Security
  • Contact Us
  • Log in
  • Sign up
Menu

Managing access keys in Azure Key Vault

Posted on 2024-09-052024-09-05 by zeusexam

Managing access keys in Azure Key Vault

It is important to protect the storage account access keys because they provide full access to the storage account. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services, such as authentication keys, storage account keys, data encryption keys, and certificate private keys.

Keys in Azure Key Vault can be protected in software or by using hardware security modules (HSMs). HSM keys can be generated in place or imported. Importing keys is often referred to as bring your own key, or BYOK.

Accessing and unencrypting the stored keys is typically done by a developer, although keys from Key Vault can also be accessed from ARM templates during deployment.

Configure identity-based access

Microsoft Entra ID authentication is beneficial for customers who want to control data access at an enterprise level based on their security and compliance standards. Entra ID authentication provides identity-based access to Azure storage in addition to existing shared-key and SAS token authorization mechanisms for Azure Storage (Blob and Queue). Azure blobs, files, and queues are supported by Entra ID authentication.

Entra ID authentication enables customers to leverage RBAC in Azure for granting the required permissions to a security principal (users, groups, and applications) down to the scope of an individual blob container or queue. While authenticating a request, Entra ID returns an OAuth 2.0 token to security principal, which can be used for authorization against Azure Storage.

Entra ID authorization can be implemented in many ways, such as assigning RBAC roles to a security principal (users, groups, and applications), using a managed identity, or creating shared access signatures signed by Entra ID credentials.

If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a managed identity to access a storage account.

RBAC roles for blobs and queues

There are several built-in RBAC roles available in Azure for authorizing access to Blob and Queue Storage:

  • Storage Blob Data Owner Sets ownership and manages POSIX access control for Azure Data Lake Storage Gen2
  • Storage Blob Data Contributor Grants read/write/delete permissions for Blob Storage
  • Storage Blob Data Reader  Grants read-only permissions for Blob Storage
  • Storage Queue Data Contributor Grants read/write/delete permissions for Queue Storage
  • Storage Queue Data Reader  Grants read-only permissions for Queue Storage
  • Storage Queue Data Message Processor Grants peek, retrieve, and delete permissions to messages in queues
  • Storage Queue Data Message Sender Grants add permissions to messages in queues
  • Storage Table Data Contributor  Allows read, write, and delete access to tables and entities
  • Storage Table Data Reader  Provides read-only access to tables and entities

Post navigation

← Use user delegation SAS – MS AZ-104 Study Guide
Resource scope for blobs and queues →

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Categories

  • 100-150 Study Course
  • AWS Study Course
  • AZ-104 Study Course
  • Certified Advanced Salesforce Admin
  • Cisco Study Course
  • CLF-C02 Study Course
  • Google
  • Google Associate Cloud Engineer
  • Microsoft Study Course
  • Salesforce
  • Study Course
© 2024 Zeusexam, Inc. All rights reserved. | Privacy Statement | Terms of Use | Use of Cookies | Trust | Accessibility | Cookie Preferences | Your Privacy Choices