Why is "Storage Account Key Operator Service" role needed for Managed Identity to write data to Storage account?

Quattrocchi, Calogero 170 Reputation points
2023-10-17T13:46:13.9566667+00:00

We use an Automation Account (AA) that executes a Runbook (PowerShell script) to retrieve device configuration and store it for 90 days in a Storage account. We've created a System Assigned Identity with roles to access key vault credentials and write the configuration file to our Storage account:

User's image

But MS Defender for Cloud recommends disabling storage account key access. If we do it, the Runbook fails with following error message:

"Key based authentication is not permitted on this storage account"

I want to know why we need "Storage Account Key Operator Service" role for the Managed Identity to write data to Storage account.

Is there a way to avoid using that role?

Many thanks

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,746 questions
{count} votes

Accepted answer
  1. Sumarigo-MSFT 44,081 Reputation points Microsoft Employee
    2023-10-17T17:31:49.7266667+00:00

    @Quattrocchi, Calogero Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Firstly, Let me Explain what is Storage Account Key Operator Service Role . Permits listing and regenerating storage account access keys. Learn more
    User's image

    {
      "assignableScopes": [
        "/"
      ],
      "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
      "id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
      "name": "81a9662b-bebf-436f-a333-f67b29880f12",
      "permissions": [
        {
          "actions": [
            "Microsoft.Storage/storageAccounts/listkeys/action",
            "Microsoft.Storage/storageAccounts/regeneratekey/action"
          ],
          "notActions": [],
          "dataActions": [],
          "notDataActions": []
        }
      ],
      "roleName": "Storage Account Key Operator Service Role",
      "roleType": "BuiltInRole",
      "type": "Microsoft.Authorization/roleDefinitions"
    }
    

    **
    Based on the error message you may refer to the suggestion mentioned in this thread**

    The reason why you need the "Storage Account Key Operator Service" role for the Managed Identity to write data to the Storage account is that the Managed Identity needs to authenticate itself to the Storage account in order to access it.

    When you disable storage account key access, you are preventing access to the Storage account using the account key. This means that the Managed Identity can no longer authenticate itself to the Storage account using the account key.

    To avoid using the "Storage Account Key Operator Service" role, you can use Azure AD authentication instead of storage account key authentication. This involves creating an Azure AD application and granting it access to the Storage account. You can then use the Managed Identity to authenticate to the Azure AD application, which in turn can authenticate to the Storage account.

    Here are the high-level steps to use Azure AD authentication:

    1. Create an Azure AD application and grant it access to the Storage account.
    2. Assign the "Storage Blob Data Contributor" role to the Managed Identity for the Azure AD application.
    3. Modify your PowerShell script to use the Managed Identity to authenticate to the Azure AD application, which in turn can authenticate to the Storage account.

    You can find more detailed information on how to use Azure AD authentication with Storage accounts in the Azure documentation: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

    Additional information: Use a Managed Identity: Make sure that the Managed Identity associated with your Automation Account has the necessary permissions (like "Storage Blob Data Contributor" role) to write data to the Storage account. With the right permissions, you should be able to interact with the Storage account securely without relying on storage account keys.

    Generate Shared Access Signatures (SAS): You can generate SAS tokens for your Storage account resources (containers or blobs) and provide these tokens to your Automation Runbook. This way, you can control access at a more granular level without exposing the storage account keys.

    Use a service principal: Instead of a Managed Identity, you can use a service principal with appropriate permissions to interact with your Storage account. This is another secure way to access your storage resources without relying on keys.

    I have not repro the above mentioned steps, please check and let me know the status

    Please let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful