You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-security-api-keys.md
+13-12Lines changed: 13 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,24 +2,23 @@
2
2
title: Connect using API keys
3
3
titleSuffix: Azure AI Search
4
4
description: Learn how to use an admin or query API key for inbound access to an Azure AI Search service endpoint.
5
-
6
5
manager: nitinme
7
6
author: HeidiSteen
8
7
ms.author: heidist
9
8
ms.service: azure-ai-search
10
9
ms.custom:
11
10
- ignite-2023
12
11
ms.topic: how-to
13
-
ms.date: 10/30/2024
12
+
ms.date: 1/16/2025
13
+
#customer intent: I want to learn how to connect to Azure AI Search using API keys so that I can authenticate inbound requests to my search service.
14
14
---
15
15
16
16
# Connect to Azure AI Search using keys
17
17
18
-
Azure AI Search offers key-based authentication for connections to your search service. An API key is a unique string composed of 52 randomly generated numbers and letters. In your source code, you can specify it as an [environment variable](/azure/ai-services/cognitive-services-environment-variables) or as an app setting in your project, and then reference the variable on the request. A request made to a search service endpoint is accepted if both the request and the API key are valid.
19
-
20
-
Key-based authentication is the default.
18
+
Azure AI Search offers both keyless and key-based authentication for connections to your search service. An API key is a unique string composed of 52 randomly generated numbers and letters. In your source code, you can specify it as an [environment variable](/azure/ai-services/cognitive-services-environment-variables) or as an app setting in your project, and then reference the variable on the request. A request made to a search service endpoint is accepted if both the request and the API key are valid.
21
19
22
-
You can replace it with [role-based access](search-security-enable-roles.md), which eliminates the need for hardcoded keys in your codebase.
20
+
> [!IMPORTANT]
21
+
> When you create a search service, key-based authentication is the default, but it's not the most secure option. We recommend that you replace it with [role-based access](search-security-enable-roles.md), which eliminates the need for hardcoded keys in your codebase.
23
22
24
23
## Types of API keys
25
24
@@ -36,11 +35,11 @@ Visually, there's no distinction between an admin key or query key. Both keys ar
36
35
37
36
## Use API keys on connections
38
37
39
-
API keys are used for data plane (content) requests, such as creating or accessing an index or, any other request that's represented in the [Search REST APIs](/rest/api/searchservice/). Upon service creation, an API key is the only authentication mechanism for data plane operations, but you can replace or supplement key authentication with [Azure roles](search-security-rbac.md) if you can't use hard-coded keys in your code.
40
-
41
-
Admin keys are used for creating, modifying, or deleting objects. Admin keys are also used to GET object definitions and system information.
38
+
API keys are used for data plane (content) requests, such as creating or accessing an index or, any other request that's represented in the [Search REST APIs](/rest/api/searchservice/).
42
39
43
-
Query keys are typically distributed to client applications that issue queries.
40
+
You can use either an API key or [Azure roles](search-security-rbac.md) for management plane (service) requests. When you use an API key:
41
+
- Admin keys are used for creating, modifying, or deleting objects. Admin keys are also used to GET object definitions and system information.
42
+
- Query keys are typically distributed to client applications that issue queries.
44
43
45
44
### [**REST API**](#tab/rest-use)
46
45
@@ -241,11 +240,13 @@ It's not possible to use [customer-managed key encryption](search-security-manag
241
240
242
241
## Best practices
243
242
243
+
+ For production workloads, switch to [Microsoft Entra ID and role-based access](keyless-connections.md). Or, if you want to continue using API keys, be sure to always monitor [who has access to your API keys](#secure-api-keys) and [regenerate API keys](#regenerate-admin-keys) on a regular cadence.
244
+
244
245
+ Only use API keys if data disclosure isn't a risk (for example, when using sample data) and if you're operating behind a firewall. Exposure of API keys is a risk to both data and to unauthorized use of your search service.
245
246
246
-
+Always check code, samples, and training material before publishing to make sure you didn't leave valid API keys behind.
247
+
+If you use an API key, store it securely somewhere else, such as in [Azure Key Vault](/azure/key-vault/general/overview). Don't include the API key directly in your code, and never post it publicly.
247
248
248
-
+For production workloads, switch to [Microsoft Entra ID and role-based access](keyless-connections.md). Or, if you want to continue using API keys, be sure to always monitor [who has access to your API keys](#secure-api-keys) and [regenerate API keys](#regenerate-admin-keys) on a regular cadence.
249
+
+Always check code, samples, and training material before publishing to make sure you don't inadvertently expose an API key.
0 commit comments