- Microsoft Windows Azure Development Cookbook
- Neil Mackenzie
- 554字
- 2021-04-02 18:51:55
Managing Windows Azure Storage Service access keys
The data stored by the Windows Azure Storage Service must be secured against unauthorized access. To ensure that security, all storage operations against the table service and the queue service must be authenticated. Similarly, other than inquiry requests against public containers and blobs, all operations against the blob service must also be authenticated. The blob service supports public containers so that, for example, blobs containing images can be downloaded directly into a web page.
Each storage account has a primary access key and a secondary access key that can be used to authenticate operations against the storage service. When creating a request against the storage service, one of the keys is used along with various request headers to generate a 256-bit, hash-based message authentication code (HMAC). This HMAC is added as an Authorization request header to the request. On receiving the request, the storage service recalculates the HMAC and rejects the request if the received and calculated HMAC values differ. The Windows Azure Storage Client library provides methods that manage the creation of the HMAC and attaching it to the storage operation request.
There is no distinction between the primary and secondary access keys. The purpose of the secondary access key is to enable continued use of the storage service while the other access key is being regenerated. While the primary access key is used for authentication against the storage service, the secondary access key can be regenerated without affecting the service—and vice versa. This can be extremely useful in situations where storage access credentials must be rotated regularly.
As possession of the storage account name and access key is sufficient to provide full control over the data managed by the storage account, it is essential that the access keys be kept secure. In particular, access keys should never be downloaded to a client, such as a Smartphone, as that exposes them to potential abuse.
In this recipe, we will learn how to use the primary and secondary access keys.
Getting ready
This recipe requires a deployed Windows Azure hosted service that uses a Windows Azure storage account.
How to do it...
We are going to regenerate the secondary access key for a storage account and configure a hosted service to use it. We do this as follows:
- Go to the Windows Azure Portal.
- In the Storage Accounts section, regenerate the secondary access key for the desired storage account.
- In the Hosted Services section, configure the desired hosted service and replace the value of
AccountKeyin theDataConnectionStringsetting with the newly generated secondary access key.
How it works...
In step 2, we can choose which access key to regenerate. It is important that we never regenerate the access key currently being used since doing so immediately renders the storage account inaccessible. Consequently, we regenerate only the secondary access key if the primary access key is currently in use—and vice versa.
In step 3, we upgrade the service configuration to use the access key we just generated. This change can be trapped and handled by the hosted service. However, it should not require the hosted service to be recycled. We see how to handle configuration changes in the Handling changes to the configuration and topology of a hosted service recipe in Chapter 5.
- MySQL Admin Cookbook LITE: Configuration, Server Monitoring, Managing Users
- Midjourney從入門到實戰應用
- Quickstart Apache Axis2
- 量化投資與FOF投資:以MATLAB+Python為工具
- SolidWorks2016中文版從入門到精通/CAX工程應用叢書
- After Effects 2022從入門到精通
- 短視頻剪輯基礎與實戰應用(剪映電腦版)
- 從零開始:Indesign CC 2019設計基礎+商業設計實戰
- 零基礎學Photoshop CS6(全視頻教學版)
- AI設計時代:Midjourney實戰應用手冊
- OpenCms 7 Development
- Oracle Modernization Solutions
- 中文版3ds Max 2016基礎教程
- Apache Axis2 Web Services, 2nd Edition
- After Effects CC入門與應用