Connection Strings & Keys in Azure Blob Storage
Overview
Connection strings and account keys are used to authenticate and access Azure Storage resources.
What Are Connection Strings?
A connection string contains all the information needed to connect to a storage account:
DefaultEndpointsProtocol=https;
AccountName=mystorage001;
AccountKey=your-account-key-here;
EndpointSuffix=core.windows.net
Finding Your Connection String
- Go to Storage Account in Azure Portal
- Navigate to Security + networking → Access keys
- Copy either "Connection string" (key1 or key2)
Account Keys
Each storage account has two account keys (key1 and key key2):
- Both keys provide full access to the entire storage account
- Keys are typically 88 characters long
- They never expire
Best Practice: Use Key Rotation
# Update connection string to use key2
# Then regenerate key1
az storage account keys renew \
--resource-group myrg \
--account-name mystorage001 \
--key key1
Problems with Account Keys
| Issue | Why It's a Problem |
|---|---|
| Hard to rotate | Need to update all applications |
| Too much access | Keys grant full admin access |
| Security risk | If key leaks, entire storage compromised |
| No audit trail | Can't track who accessed what |
Better Alternatives
1. Use Managed Identity (Recommended)
// Instead of connection string, use:
var blobServiceClient = new BlobServiceClient(
new Uri("https://mystorage001.blob.core.windows.net"),
new DefaultAzureCredential()
);
2. Use SAS Tokens (For limited access)
- Time-limited access
- Can restrict to specific container/blob
- Can restrict permissions (read, write, etc.)
Security Recommendations
- Never commit keys to git - Use environment variables
- Use Managed Identity in production
- Rotate keys regularly - At least every 90 days
- Use SAS tokens for external sharing
- Enable Azure Defender for threat detection
Next Steps
- Learn how to Generate SAS Tokens
Azure Integration Hub - Beginner Level