Storage Account Principal id

Question

How do i get azure storage account principal id?

According to the documentation at https://learn.microsoft.com/en-us/rest/api/storagerp/storage-accounts/get-properties?view=rest-storagerp-2023-01-01&tabs=HTTP#storageaccountgetpropertiescmkversionexpirationtime, you can utilize the get_properties API to retrieve the principal id. However, if customer-managed key (CMK) isn't enabled for the storage account, the account identity value will be None.

Answer 1

If you are not using a customer-managed key, then the storage account does not have a principal ID, as none has been assigned because it is not needed. The only thing a storage account can use an identity for is accessing Key Vault to get a customer managed key.

Answer 2

Hello muhammadUmair,

Thank you for posting your query here!

Adding on to the previous response, as mentioned if you're not using a customer-managed key (CMK), the storage account doesn't inherently have a principal ID assigned to it, as it doesn't need one for its basic functionalities within Azure.

In the context of accessing a customer-managed key (CMK), the principal ID would be relevant if you've assigned an identity to the storage account for this purpose. Otherwise, the storage account itself doesn't have a principal ID.

Also, please note that by default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage this encryption key yourself, you can specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys.

The following diagram shows how Azure Storage uses Microsoft Entra ID and a key vault to make requests using the customer-managed key:

1. An Azure Key Vault admin grants permissions to encryption keys to a managed identity. The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account.

2. An Azure Storage admin configures encryption with a customer-managed key for the storage account.

3. Azure Storage uses the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Microsoft Entra ID.

4. Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault.

5. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.  

For further details please refer: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.