Shared key for Azure Storage

azure storage "authorization header"
azure storage account key
azure blob container access policy
azure shared access signature
azure blob storage aad integration
service principal for azure storage
azure storage explorer
azure table storage aad authentication

I have trial Azure account and I have created table under storage. I want to read table using REST API. I am going through document (https://docs.microsoft.com/en-us/rest/api/storageservices/authorization-for-the-azure-storage-services) to prepare authorization header for HTTP request. I am not able to find 'Shared key' form portal, Can any one help?

Follow the steps below to view the storage access keys for an Azure Blob storage account:

Sign in to the Azure dashboard.

  1. In the navigation pane, click on All Resources.

  2. Choose the desired storage account.

  3. Click on the Key icon to view the access keys for the storage account. Note: Each storage account has two storage access keys.

  4. To copy a storage access key, click on the Copy icon next to the key you want to copy.

Authorize with Shared Key (REST API), If possible, use Azure Active Directory (Azure AD) to authorize requests to Blob and Queue storage instead of Shared Key. Azure AD provides  When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorize access to data in your storage account via Shared Key authorization. Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys.

Shared Key authorization for the Table service in version 2009-09-19 and later uses the same signature string as in previous versions of the Table service.

The format for the Authorization header is as follows:

Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>"

The Shared Key signature string for a request against the Table service does not include the CanonicalizedHeaders portion of the string. Additionally, the Date header in this case is never empty even if the request sets the x-ms-date header. If the request sets x-ms-date, that value is also used for the value of the Date header.

To encode the signature string for a request against the Table service made using the REST API, use the following format:

StringToSign = VERB + "\n" +   
               Content-MD5 + "\n" +   
               Content-Type + "\n" +  
               Date + "\n" +  
               CanonicalizedResource;  

This format supports Shared Key and Shared Key Lite for all versions of the Table service. Construct the CanonicalizedResource string in this format as follows:

1.Beginning with an empty string (""), append a forward slash (/), followed by the name of the account that owns the resource being accessed.

2.Append the resource's encoded URI path. If the request URI addresses a component of the resource, append the appropriate query string. The query string should include the question mark and the comp parameter (for example, ?comp=metadata).

Encoding the Signature

To encode the signature, using the following format:

Signature=Base64(HMAC-SHA256(UTF8(StringToSign), Base64.decode(<your_azure_storage_account_shared_key>))) 

Manage account access keys, Learn about the different ways to authorize access to Azure Storage, including Azure Active Directory, Shared Key authorization, or shared  Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account. You can use the Key Vault managed storage account key feature to list (sync) keys with an Azure storage account, and regenerate (rotate) the keys periodically.

Here is a working sample which creates a file:

https://github.com/mstaples84/azurefileserviceauth.git

It is based on the tutorial:

https://docs.microsoft.com/de-de/azure/storage/common/storage-rest-api-auth but deals with the issues I had when creating a file from the tutorial.

Simply run the Unit Test "CreateFileAsync()" to test it. Make sure to edit the constants set by the Test class to make it work.

Authorizing data operations, Shared Key (storage account key), Shared access signature (SAS), Azure Active Directory (Azure AD), Active Directory (preview), Anonymous  Follow the steps below to view the storage access keys for an Azure Blob storage account: Sign in to the Azure dashboard. In the navigation pane, click on All Resources. Choose the desired storage account. Click on the Key icon to view the access keys for the storage account. Note: Each storage account has two storage access keys. To copy a storage access key, click on the Copy icon next to the key you want to copy.

Authorize requests to Azure Storage (REST API), Follow the steps below to view the storage access keys for an Azure Blob storage account: Sign in to the Azure dashboard. In the navigation  SHARED KEY Authorization: The Blob, Queue, Table, and File services support the following Shared Key authorization schemes for version 2009-09-19 and later (for Blob, Queue, and Table service) We will try to create a container in an storage account by authorising using Shared Key. >>Open Postman and create a collection.

Shared key for Azure Storage, Client applications have to make a request over HTTP/HTTPS to Azure Storage to access data in Azure storage account. As the resources are  Shared Key authorization for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see Authorize with Shared Key. Shared access signatures for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account.

How to authorize access to Azure storage using Shared Key , In this video, explore the access keys available for authentication when interacting with an Azure Storage account. Note the option to  If you open the Azure portal, click on the "Hosted Servcies, Storage Accounts & CDN" link on the lower left and then pick "Storage Accounts". Once you click on "New Storage Account" and create a storage account, you will see "Primary access key" and "Seconardy access key" on the right hand side if you select that storage account in the middle.

Comments
  • Is "access key" the same thing as "shared key"? OP asked for "shared key".