Share via

Azure Key vault and Storage Account Key Rotation

rr-4098 1,481 Reputation points
2024-08-24T08:50:10.4766667+00:00

I setup a Key vault to manage the keys on my storage accounts. The assigned rotation policy states the keys should be rotated every 28 days. The problem is when I go to the storage account and look at the keys, the last update \ rotation time is 90+ days ago. What am I missing here???

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,283 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,146 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 20,476 Reputation points
    2024-08-25T05:39:14.5633333+00:00

    Hi rr-4098,

    Thanks for reaching out to Microsoft Q&A.

    If you have already set up a rotation policy in azure KeyVault for your storage account keys but they are not rotating as expected, here are a few things to check in the first place....

    Ensure the rotation policy is configured correctly:

    • Verify that the rotation policy is enabled and the frequency is set to 28 days as expected.
    • Check that the policy is configured on the correct key in Key Vault. Ensure the policy has the necessary permissions to rotate the keys.

    Verify the Event Grid subscription:

    • Ensure an Event Grid subscription is set up to trigger the rotation when the key is near expiry.
    • Check that the Event Grid subscription is enabled and pointing to the correct Function App endpoint.

    Inspect the Function App logs:

    • Review the logs of the Function App that handles the key rotation to see if any errors or issues are being reported.
    • Ensure the Function App has the necessary permissions to access the Key Vault and Storage Account.

    Check the Storage Account access policy:

    • Verify that the user or service principal running the rotation has the necessary permissions to regenerate the storage account keys.
    • Ensure the "Microsoft.Storage/storageAccounts/regeneratekey/action" permission is granted.

    Test the rotation manually:

    • Try manually rotating the keys using the Azure Portal, CLI, or PowerShell to see if the rotation is working as expected. If the manual rotation is successful, it may indicate an issue with the automated rotation setup.

    Ensure the storage account keys are being stored correctly in Key Vault:

    • Verify that the storage account keys are being stored as secrets in Key Vault with the correct tags (CredentialId, ProviderAddress, ValidityPeriodDays).
    • Check that the secret values match the actual storage account keys.

    Consider the key rotation delay:

    • Key rotation may take some time to propagate and reflect in the storage account key list.
    • Wait for a few minutes after the rotation is triggered to see if the new key appears in the storage account.

    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.