Friday, March 6, 2015

Azure: How to utilise the Primary and Secondary storage access keys

One topic that comes up a bit when people first start to deal with Microsoft Azure storage is "what is the purpose of the Primary and Secondary storage access keys". The good news is that the guidance/documentation provided for Azure services and features is very rich in depth, and even includes screenshots. I've linked to the best documentation below.

The main purpose of the Primary and Secondary keys (and this doesn't just apply to storage resources), is to minimize application impact when the keys need to be regenerated. In fact the quote from Azure documentation is: “By providing two storage access keys, Azure enables you to regenerate the keys with no interruption to your storage service or access to that service.

Lets take the scenario of a trusted employee has left the organization. This employee was either the Azure Account Administrator, a Developer, or for whatever reason had access to one or both of the Storage Access Keys for a critical storage blob on your Azure account. You also have a critical online application hanging off this blob storage where downtime costs you $$$$.

With only a Single Access Key the process would have to be the following which depending on the time between steps 1 and 4 could be a considerable outage for the application.
  1. Stop the online application
  2. Regenerate the Access Key
  3. Update the application configuration
  4. Start the application
Maybe in the above scenario you don't even have the ability to stop the application, then the impact of this becomes even more sever because your users will receive an error as the application code fails to use the out of date key.

Now with the Primary and Secondary Access Keys the scenario has a few more steps but far less if not zero outage to the application.
  1. Regenerate the Secondary Access Key.
    This is important as the employee may have had access to this key as well and if they left under "bad terms" this may make this even more critical. Additionally you should regenerate keys routinely, so by doing this first you can test that the the secondary key works and should you have any issues then immediately stop this process and revert to the existing Primary Key while investigating what failed in your application.
  2. Update the Application Code to use the new Secondary Access Key
  3. Pause, take a breath….
    Give your some some time depending on your application to ensure all active processes have finished and new processes switched over to the new key.
  4. Check your application is working off the Secondary Key and is successful. If not then you might want to revert to the existing key while you find the other places you need to update the Storage Account details.
  5. Regenerate the Primary Access Key.
  6. Update the Application Code to use the new Primary Access Key
  7. Repeat steps 3 and 4

The best document to review regarding this topic is:

There are some caveats when dealing with keys on storage for Virtual Machines, Media Services, and Applications (but I cover that above). For the full details see the above link but these are the extracts for reference:

Virtual Machines - If your storage account contains any virtual machines that are running, you will have to redeploy all virtual machines after you regenerate the access keys. To avoid redeployment, shut down the virtual machines before you regenerate the access keys.

Media services - If you have media services dependent on your storage account, you must re-sync the access keys with your media service after you regenerate the keys.

My suggested best practices
  1. Routinely regenerate your keys so you can more easily track who has access to the environment
    1. Do NOT regenerate keys on storage holding virtual machines, unless this can be factored into your monthly/quarterly patch maintenance
  2. Use separate Storage Accounts for Virtual Machines and other application storage (e.g. Tables, etc).
  3. Run the application off the Primary key, and only the Secondary key during key regeneration.
  4. If you must provide access to the storage to an employee/developer/etc..... use a Shared Access key.

Legal Stuff: As always the contents of this blog is provided “as-is”. The information, opinions and views expressed are those of the author and do not necessarily state or reflect those of any other company with affiliation to the products discussed. This includes any URLs or Tools. The author does not accept any responsibility from the use of the information or tools mentioned within this blog, and recommends adequate evaluation against your own requirements to measure suitability.


  1. nice information well done your information is helping alot thanks for valuable windows azure training in hyderabad

  2. Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating. Azure Online Training Hyderabad.

  3. If you are considering making use of a self storage facility, it is important for you to choose the best one. Choosing the best one will ensure that you have a pleasant storage relocation Luton

  4. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. Storage Rooms

  5. Cartier watches boast a large variety of design and functionality, replica cartier ukyet maintain the utmost quality and sophistication in every series. Crafted from the finest steel, replica calibre de cartier carbon diver watchesrose gold, yellow gold, and white gold, and utlizing the highest grade of diamonds worthy of the Cartier name, Cartier has dominated the industry of elegant watches. Mens and ladies watches alike are assured attention to detail internally and externally, and the namesake itself is a milestone in the world for which the standard of reputation alone is reminiscent of the product.

  6. Another Michele hit,Replica handbags the more structured Sylvie replica Gucci bags presents Gucci’s saddle-inspired red and green racing stripes – a house signature since the 1950s – in a fresh new light. Smooth leather and chunky hardware lends contemporary appeal to this instantly iconic Gucci bag.

  7. Paris Fashion Week would Replica handbags uk have been incomplete without replica Yves Saint Laurent bags Anthony Vaccarello’s homage to maison founder Yves Saint Laurent in the Saint Laurent spring/summer 2019 collection.

  8. Montblanc MeisterstückClassique is not surprisingly regarded as one replica mont blanc ballpoint pen of Montblanc's top ten fountain pens, replica great characters edition and perhaps the most iconic of the Montblanc writing series. This pen is coated with precious black resin and has a bright white star badge. It is a must-have for collectors and has a well-known name, with German as a "masterpiece". Each pen has a separate serial number, which means that no two pens are the same. Similarly, each nib of Montblanc is individually stamped after manual testing by Montblanc's master craftsmen.