How to disable access key for storage attached deployment script

Question

Our team use deployment script to deploy some azure resources. Recently security require not use access key to auth Storage account. But seems like deployment script service execution storage only use access key. Anyone have idea how to solve this?

Answer 1

Hi, Welcome to MS Q&A

To disable access key for a storage account attached through a deployment script, you can modify the allowSharedKeyAccess property in the Azure Resource Manager template or Bicep file to false. Here is an example of how to modify the property in a template file:

"resources": [
  {
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2021-04-01",
    "name": "[variables('storageAccountName')]",
    "location": "[parameters('location')]",
    "sku": {
      "name": "[parameters('skuName')]",
      "tier": "[parameters('skuTier')]"
    },
    "kind": "[parameters('kind')]",
    "properties": {
      "accessTier": "[parameters('accessTier')]",
      "allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]",
      "minimumTlsVersion": "[parameters('minimumTlsVersion')]",
      "supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]",
      "encryption": {
        "services": {
          "blob": {
            "enabled": "[parameters('enableEncryption')]"
          }
        },
        "keySource": "[parameters('encryptionKeySource')]"
      },
      "networkAcls": {
        "defaultAction": "[parameters('defaultAction')]",
        "virtualNetworkRules": "[parameters('virtualNetworkRules')]",
        "ipRules": "[parameters('ipRules')]"
      },
      "allowSharedKeyAccess": false
    },
    "dependsOn": []
  }
]

After you modify the template file, you can redeploy it to update the storage account. Note that you should include the other properties for your account and child resources when redeploying with this property. Do not deploy this template as is or it will reset all of your account properties.

References:

• Prevent Shared Key authorization for an Azure Storage account
• Manage storage account access keys

Please let us know , if further questions

Kindly accept answer if it works for you

Thanks

Deepanshu

Answer 2

Hello Xiaohang Zeng,

Greetings! Welcome to Microsoft Q&A Platform.Adding to above information, you can try with “ --allow-shared-key-access” Setting it to false would only allow Azure AD based authorization. The below PowerShell cmdlet will create a new storage account with Shared Key authorization disabled and then update its configuration to use Azure AD authentication by default.

New-AzStorageAccount -ResourceGroupName "<Resource-Group-Name>" -Name "<Storage-Account-Name>" -SkuName Standard_GRS -Location "EastUS" -AllowSharedKeyAccess $false

After running the above command, the storage account is created with Shared Key authorization disabled.

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Microsoft Entra ID provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Microsoft Entra ID to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key.

When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see Authorize access to data in Azure Storage.

refer for detailed guidance - https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal.

For deployment script API version 2020-10-01 or later, there are two principals involved in deployment script execution:

• Deployment principal (the principal used to deploy the template): this principal is used to create underlying resources required for the deployment script resource to execute — a storage account and an Azure container instance. To configure the least-privilege permissions, assign a custom role with the following properties. If the Azure Storage and the Azure Container Instance resource providers haven't been registered, you also need to add Microsoft.Storage/register/action and Microsoft.ContainerInstance/register/action.
• Deployment script principal: This principal is only required if the deployment script needs to authenticate to Azure and call Azure CLI/PowerShell. There are two ways to specify the deployment script principal:
  • Specify a user-assigned managed identity in the identity property (see Sample templates). When specified, the script service calls Connect-AzAccount -Identity before invoking the deployment script. The managed identity must have the required access to complete the operation in the script. Currently, only user-assigned managed identity is supported for the identity property. To log in with a different identity, use the second method in this list.
  • Pass the service principal credentials as secure environment variables, and then can call Connect-AzAccount or az login in the deployment script.
  If a managed identity is used, the deployment principal needs the Managed Identity Operator role (a built-in role) assigned to the managed identity resource.

refer- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template#configure-the-minimum-permissions.

Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.