How to disable access key for storage attached deployment script

Xiaohang Zeng 0 Reputation points Microsoft Employee
2024-06-28T08:46:31.2166667+00:00

Our team use deployment script to deploy some azure resources. Recently security require not use access key to auth Storage account. But seems like deployment script service execution storage only use access key. Anyone have idea how to solve this?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,854 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshukatara-6769 6,715 Reputation points
    2024-06-28T10:04:28.58+00:00

    Hi, Welcome to MS Q&A

    To disable access key for a storage account attached through a deployment script, you can modify the allowSharedKeyAccess property in the Azure Resource Manager template or Bicep file to false. Here is an example of how to modify the property in a template file:

    "resources": [
  {
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2021-04-01",
    "name": "[variables('storageAccountName')]",
    "location": "[parameters('location')]",
    "sku": {
      "name": "[parameters('skuName')]",
      "tier": "[parameters('skuTier')]"
    },
    "kind": "[parameters('kind')]",
    "properties": {
      "accessTier": "[parameters('accessTier')]",
      "allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]",
      "minimumTlsVersion": "[parameters('minimumTlsVersion')]",
      "supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]",
      "encryption": {
        "services": {
          "blob": {
            "enabled": "[parameters('enableEncryption')]"
          }
        },
        "keySource": "[parameters('encryptionKeySource')]"
      },
      "networkAcls": {
        "defaultAction": "[parameters('defaultAction')]",
        "virtualNetworkRules": "[parameters('virtualNetworkRules')]",
        "ipRules": "[parameters('ipRules')]"
      },
      "allowSharedKeyAccess": false
    },
    "dependsOn": []
  }
]

    After you modify the template file, you can redeploy it to update the storage account. Note that you should include the other properties for your account and child resources when redeploying with this property. Do not deploy this template as is or it will reset all of your account properties.

    References:

    Please let us know , if further questions

    Kindly accept answer if it works for you

    Thanks

    Deepanshu