Encrypt Azure Storage account name and key in PowerShell script

StackOverflow https://stackoverflow.com/questions/23538200

  •  17-07-2023
  •  | 
  •  

Question

We have a PowerShell script to install and configure the application. The software and script updates are downloaded from Windows Azure Storage. The script is used by partners.

At the moment the Azure Storage Name and Key are in plain text.

$context = New-AzureStorageContext
            -StorageAccountName 'myAccountName'
            -StorageAccountKey 'qwertynOc6bmpUhsnFuzSzFLHG7rJgkiakdWpIQ=='

Is there a way to encrypt the Azure Storage Name and Key (or at least the Key) so that partners cannot access Azure Storage directly?

EDIT

I also use Azure Table Storage for logging.

I did find the code below but I guess you will have to regenerate the file on every machine that uses the script. That will not work for us.

$file = '.\myPasswd.txt'

$securedStorageKey = Read-Host -Prompt "Enter Storage Key" -AsSecureString 
ConvertFrom-SecureString $securedStorageKey | Set-Content $file

$accountName = 'myAccountName'
$securedStorageKey = Get-Content $file |  ConvertTo-SecureString
$accountKey = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securedStorageKey));
$accountContext = New-AzureStorageContext -StorageAccountName $accountName -StorageAccountKey $accountKey
Was it helpful?

Solution 2

As I'm assuming you hand this script out to your partners; there's no good way to do this.

New-AzureStorageContext needs the credentials in order to work. This means if you are to hand out this script to your partners with an encrypted "key", you'd also have to wrap it together with a "unencrypt" method, which in turn the partner could use to decrypt your key.

If you cannot hand out the keys to your partners, I would consider using another strategy for distributing and downloading your software.

Configure Azure Storage to serve public data If the partners have no need for your key after data have been downloaded, one solution could be to configure Azure to use a public url.

http://www.sitefinity.com/documentation/documentationarticles/installation-and-administration-guide/system-settings/configuring-windows-azure-storage-provider

Change your powershell script (that your partners are using) to download scripts / data / installation from the public location and to the rest there. Then you wouldn't have to distribute your keys.

OTHER TIPS

You might want to consider implementing access via Shared Access Signatures. With SAS, you can give limited access to the resources, and also have that access expire periodically. This does add some complexity in that you need code running somewhere to validate the user and generate the SAS tokens, but at least you're not giving up full access to your storage resources.

The concept is explained fairly well in this article: http://blogs.msdn.com/b/windowsazurestorage/archive/2012/06/12/introducing-table-sas-shared-access-signature-queue-sas-and-update-to-blob-sas.aspx

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top