Skip to content

Commit 97243c1

Browse files
committed
Add sections for key rotation and revokoing access
1 parent 5bd16fe commit 97243c1

File tree

2 files changed

+80
-16
lines changed

2 files changed

+80
-16
lines changed

articles/app-service/app-service-encrypt-at-rest-using-cmk.md

Lines changed: 40 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,9 @@ Encrypting your web app's application data at rest requires an Azure Storage Acc
1313
- [Running from a deployment package](deploy-run-package.md) is a deployment feature of App Service. It allows you to deploy your site content from an Azure Storage Account using a Shared Access Signature (SAS) URL.
1414
- [Key Vault references](app-service-key-vault-reference.md) are a security feature of App Service. It allows you to import secrets at runtime as application settings. Use this to encrypt the SAS URL of your Azure Storage Account.
1515

16-
## Create an Azure Storage account
16+
## Set up encryption at rest
17+
18+
### Create an Azure Storage account
1719

1820
First, [create an Azure Storage account](../storage/common/storage-account-create.md) and [encrypt it with customer managed keys](../storage/common/storage-service-encryption.md#customer-managed-keys-with-azure-key-vault). Once the storage account is created, use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload package files.
1921

@@ -22,7 +24,7 @@ Next, use the Storage Explorer to [generate an SAS](../vs-azure-tools-storage-ma
2224
> [!NOTE]
2325
> Save this SAS URL, this is used later to enable secure access of the deployment package at runtime.
2426
25-
## Configure running from a package from your storage account
27+
### Configure running from a package from your storage account
2628

2729
Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` application setting to the SAS URL. The following example does it by using Azure CLI:
2830

@@ -32,7 +34,7 @@ az webapp config appsettings set --name <app-name> --resource-group <resource-gr
3234

3335
Adding this application setting causes your web app to restart. After the app has restarted, browse to it and make sure that the app has started correctly using the deployment package. If the application didn't start correctly, see the [Run from package troubleshooting guide](deploy-run-package.md#troubleshooting).
3436

35-
## Encrypt the application setting using Key Vault references
37+
### Encrypt the application setting using Key Vault references
3638

3739
Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application setting with a Key Vault reference to the SAS-encoded URL. This keeps the SAS URL encrypted in Key Vault, which provides an extra layer of security.
3840

@@ -56,11 +58,45 @@ Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application sett
5658
az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
5759
```
5860
61+
The `<secret-version>` will be in the output of the previous `az keyvault secret set` command.
62+
5963
Updating this application setting causes your web app to restart. After the app has restarted, browse to it make sure it has started correctly using the Key Vault reference.
6064
65+
## How to rotate the access token
66+
67+
It is best practice to periodically rotate the SAS key of your storage account. To ensure the web app does not inadvertently loose access, you must also update the SAS URL in Key Vault.
68+
69+
1. Rotate the SAS key by navigating to your storage account in the Azure Portal. Under **Settings** > **Access keys**, click the icon to rotate the SAS key.
70+
71+
1. Copy the new SAS URL, and use the following command to set the updated SAS URL in your key vault:
72+
73+
```azurecli
74+
az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"
75+
```
76+
77+
1. Update the key vault reference in your application setting to the new secret version:
78+
79+
```azurecli
80+
az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
81+
```
82+
83+
The `<secret-version>` will be in the output of the previous `az keyvault secret set` command.
84+
85+
## How to revoke the web app's data access
86+
87+
There are two methods to revoke the web app's access to the storage account.
88+
89+
### Rotate the SAS key for the Azure Storage account
90+
91+
If the SAS key for the storage account is rotated, the web app will no longer have access to the storage account, but it will continue to run with the last downloaded version of the package file. Restart the web app to clear the last downloaded version.
92+
93+
### Remove the web app's access to Key Vault
94+
95+
You can revoke the web app's access to the site data by disabling the web app's access to Key Vault. To do this, remove the access policy for the web app's identity. This is the same identity you created earlier while configuring key vault references.
96+
6197
## Summary
6298
63-
Your application files are now encrypted at rest in your storage account. When your web app starts, it retrieves the SAS URL from your key vault. Finally, the web app loads the application files from storage.
99+
Your application files are now encrypted at rest in your storage account. When your web app starts, it retrieves the SAS URL from your key vault. Finally, the web app loads the application files from the storage account.
64100
65101
If you need to revoke the web app's access to your storage account, you can either revoke access to the key vault or rotate the storage account keys, which invalidates the SAS URL.
66102
@@ -70,10 +106,6 @@ If you need to revoke the web app's access to your storage account, you can eith
70106
71107
Only the cost associated with the Azure Storage Account and any applicable egress charges.
72108
73-
### What happens if the SAS token expires or rotates?
74-
75-
If the SAS URL is invalidated for any reason, the web app will continue to run with the last downloaded version of the package file. You must update the value of `WEBSITE_RUN_FROM_PACKAGE` with the new SAS URL for the web app to reestablish a connection to the storage account.
76-
77109
### How does running from the deployment package affect my web app?
78110
79111
- Running your app from the deployment package makes `wwwroot/` read-only. Your app receives an error when it attempts to write to this directory.

articles/azure-functions/functions-encrypt-at-rest-using-cmk.md

Lines changed: 40 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,9 @@ Encrypting your web app's application data at rest requires an Azure Storage Acc
1313
- [Running from a deployment package](deploy-run-package.md) is a deployment feature of App Service. It allows you to deploy your site content from an Azure Storage Account using a Shared Access Signature (SAS) URL.
1414
- [Key Vault references](app-service-key-vault-reference.md) are a security feature of App Service. It allows you to import secrets at runtime as application settings. Use this to encrypt the SAS URL of your Azure Storage Account.
1515

16-
## Create an Azure Storage account
16+
## Set up encryption at rest
17+
18+
### Create an Azure Storage account
1719

1820
First, [create an Azure Storage account](../storage/common/storage-account-create.md) and [encrypt it with customer managed keys](../storage/common/storage-service-encryption.md#customer-managed-keys-with-azure-key-vault). Once the storage account is created, use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload package files.
1921

@@ -22,7 +24,7 @@ Next, use the Storage Explorer to [generate an SAS](../vs-azure-tools-storage-ma
2224
> [!NOTE]
2325
> Save this SAS URL, this is used later to enable secure access of the deployment package at runtime.
2426
25-
## Configure running from a package from your storage account
27+
### Configure running from a package from your storage account
2628

2729
Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` application setting to the SAS URL. The following example does it by using Azure CLI:
2830

@@ -32,7 +34,7 @@ az webapp config appsettings set --name <app-name> --resource-group <resource-gr
3234

3335
Adding this application setting causes your web app to restart. After the app has restarted, browse to it and make sure that the app has started correctly using the deployment package. If the application didn't start correctly, see the [Run from package troubleshooting guide](deploy-run-package.md#troubleshooting).
3436

35-
## Encrypt the application setting using Key Vault references
37+
### Encrypt the application setting using Key Vault references
3638

3739
Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application setting with a Key Vault reference to the SAS-encoded URL. This keeps the SAS URL encrypted in Key Vault, which provides an extra layer of security.
3840

@@ -56,11 +58,45 @@ Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application sett
5658
az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
5759
```
5860
61+
The `<secret-version>` will be in the output of the previous `az keyvault secret set` command.
62+
5963
Updating this application setting causes your web app to restart. After the app has restarted, browse to it make sure it has started correctly using the Key Vault reference.
6064
65+
## How to rotate the access token
66+
67+
It is best practice to periodically rotate the SAS key of your storage account. To ensure the web app does not inadvertently loose access, you must also update the SAS URL in Key Vault.
68+
69+
1. Rotate the SAS key by navigating to your storage account in the Azure Portal. Under **Settings** > **Access keys**, click the icon to rotate the SAS key.
70+
71+
1. Copy the new SAS URL, and use the following command to set the updated SAS URL in your key vault:
72+
73+
```azurecli
74+
az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"
75+
```
76+
77+
1. Update the key vault reference in your application setting to the new secret version:
78+
79+
```azurecli
80+
az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
81+
```
82+
83+
The `<secret-version>` will be in the output of the previous `az keyvault secret set` command.
84+
85+
## How to revoke the web app's data access
86+
87+
There are two methods to revoke the web app's access to the storage account.
88+
89+
### Rotate the SAS key for the Azure Storage account
90+
91+
If the SAS key for the storage account is rotated, the web app will no longer have access to the storage account, but it will continue to run with the last downloaded version of the package file. Restart the web app to clear the last downloaded version.
92+
93+
### Remove the web app's access to Key Vault
94+
95+
You can revoke the web app's access to the site data by disabling the web app's access to Key Vault. To do this, remove the access policy for the web app's identity. This is the same identity you created earlier while configuring key vault references.
96+
6197
## Summary
6298
63-
Your application files are now encrypted at rest in your storage account. When your web app starts, it retrieves the SAS URL from your key vault. Finally, the web app loads the application files from storage.
99+
Your application files are now encrypted at rest in your storage account. When your web app starts, it retrieves the SAS URL from your key vault. Finally, the web app loads the application files from the storage account.
64100
65101
If you need to revoke the web app's access to your storage account, you can either revoke access to the key vault or rotate the storage account keys, which invalidates the SAS URL.
66102
@@ -70,10 +106,6 @@ If you need to revoke the web app's access to your storage account, you can eith
70106
71107
Only the cost associated with the Azure Storage Account and any applicable egress charges.
72108
73-
### What happens if the SAS token expires or rotates?
74-
75-
If the SAS URL is invalidated for any reason, the web app will continue to run with the last downloaded version of the package file. You must update the value of `WEBSITE_RUN_FROM_PACKAGE` with the new SAS URL for the web app to reestablish a connection to the storage account.
76-
77109
### How does running from the deployment package affect my web app?
78110
79111
- Running your app from the deployment package makes `wwwroot/` read-only. Your app receives an error when it attempts to write to this directory.

0 commit comments

Comments
 (0)