Add-AzKeyVaultManagedStorageAccount

Module:: Az.KeyVault Module

Adds an existing Azure Storage Account to the specified key vault for its keys to be managed by the Key Vault service.

Syntax

Default (Default)

Add-AzKeyVaultManagedStorageAccount
    [-VaultName] <String>
    [-AccountName] <String>
    [-AccountResourceId] <String>
    [-ActiveKeyName] <String>
    [-DisableAutoRegenerateKey]
    [-RegenerationPeriod <TimeSpan>]
    [-Disable]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

Sets up an existing Azure Storage Account with Key Vault for Storage Account keys to be managed by Key Vault. The Storage Account must already exist. The Storage Keys are never exposed to caller. Key Vault auto regenerates and switches the active key based on the regeneration period. See Azure Key Vault managed storage account - PowerShell for an overview of this feature.

Examples

Example 1: Set an Azure Storage Account with Key Vault to manage its keys

$storage = Get-AzStorageAccount -ResourceGroupName "mystorageResourceGroup" -StorageAccountName "mystorage"
$servicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id
$userPrincipalId = $(Get-AzADUser -SearchString "developer@contoso.com").Id
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $userPrincipalId -PermissionsToStorage get, set
$regenerationPeriod = [System.Timespan]::FromDays(90)
Add-AzKeyVaultManagedStorageAccount -VaultName 'myvault' -AccountName 'mystorageaccount' -AccountResourceId '/subscriptions/<subscription id>/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount' -ActiveKeyName 'key1' -RegenerationPeriod $regenerationPeriod

Id                  : https://myvault.vault.azure.net:443/storage/mystorageaccount
Vault Name          : myvault
AccountName         : mystorageaccount
Account Resource Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myrg/providers/Microsoft.St
                      orage/storageAccounts/mystorageaccount
Active Key Name     : key1
Auto Regenerate Key : True
Regeneration Period : 90.00:00:00
Enabled             : True
Created             : 5/21/2018 11:55:58 PM
Updated             : 5/21/2018 11:55:58 PM
Tags                :

Sets a Storage Account with Key Vault for its keys to be managed by Key Vault. The active key set is 'key1'. This key will be used to generate sas tokens. Key Vault will regenerate 'key2' key after the regeneration period from the time of this command and set it as the active key. This auto regeneration process will continue between 'key1' and 'key2' with a gap of 90 days.

Example 2: Set a Classic Azure Storage Account with Key Vault to manage its keys

$regenerationPeriod = [System.Timespan]::FromDays(90)
Add-AzKeyVaultManagedStorageAccount -VaultName 'myvault' -AccountName 'mystorageaccount' -AccountResourceId '/subscriptions/<subscription id>/resourceGroups/myresourcegroup/providers/Microsoft.ClassicStorage/storageAccounts/mystorageaccount' -ActiveKeyName 'Primary' -RegenerationPeriod $regenerationPeriod

Id                  : https://myvault.vault.azure.net:443/storage/mystorageaccount
Vault Name          : myvault
AccountName         : mystorageaccount
Account Resource Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myvault/providers/Microsoft.Cl
                      assicStorage/storageAccounts/mystorageaccount
Active Key Name     : Primary
Auto Regenerate Key : True
Regeneration Period : 90.00:00:00
Enabled             : True
Created             : 5/21/2018 11:55:58 PM
Updated             : 5/21/2018 11:55:58 PM
Tags                :

Sets a Classic Storage Account with Key Vault for its keys to be managed by Key Vault. The active key set is 'Primary'. This key will be used to generate sas tokens. Key Vault will regenerate 'Secondary' key after the regeneration period from the time of this command and set it as the active key. This auto regeneration process will continue between 'Primary' and 'Secondary' with a gap of 90 days.

Parameters

-AccountName

Key Vault managed storage account name. Cmdlet constructs the FQDN of a managed storage account name from vault name, currently selected environment and manged storage account name.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	StorageAccountName, Name

Parameter sets

(All)

Position:	1
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-AccountResourceId

Azure resource id of the storage account.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	StorageAccountResourceId

Parameter sets

(All)

Position:	2
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-ActiveKeyName

Name of the storage account key that must be used for generating sas tokens.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	3
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Disable

Disables the use of managed storage account's key for generation of sas tokens.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DisableAutoRegenerateKey

Auto regenerate key. If true, then the managed storage account's inactive key gets auto regenerated and becomes the new active key after the regeneration period. If false, then the keys of managed storage account are not auto regenerated.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-RegenerationPeriod

Regeneration period. If auto regenerate key is enabled, this value specifies the timespan after which managed storage account's inactive keygets auto regenerated and becomes the new active key.

Parameter properties

Type:	Nullable<T>[TimeSpan]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Parameter properties

Type:	Hashtable
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	Tags

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-VaultName

Vault name. Cmdlet constructs the FQDN of a vault based on the name and currently selected environment.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Outputs

PSKeyVaultManagedStorageAccount

Az.KeyVault

Share via

Add-AzKeyVaultManagedStorageAccount

Syntax

Default (Default)

Description

Examples

Example 1: Set an Azure Storage Account with Key Vault to manage its keys

Example 2: Set a Classic Azure Storage Account with Key Vault to manage its keys

Parameters

-AccountName

Parameter properties

Parameter sets

-AccountResourceId

Parameter properties

Parameter sets

-ActiveKeyName

Parameter properties

Parameter sets

-Confirm

Parameter properties

Parameter sets

-DefaultProfile

Parameter properties

Parameter sets

-Disable

Parameter properties

Parameter sets

-DisableAutoRegenerateKey

Parameter properties

Parameter sets

-RegenerationPeriod

Parameter properties

Parameter sets

-Tag

Parameter properties

Parameter sets

-VaultName

Parameter properties

Parameter sets

-WhatIf

Parameter properties

Parameter sets

CommonParameters

Inputs

String

Nullable<T>

Hashtable

Outputs

PSKeyVaultManagedStorageAccount

Related Links

Feedback