I am planning to use keyVault to manage Storage Account Keys.
My question is, when the keys get rotated, would the SAS token previously served by the keyVault get invalidated ?
For example, if I request a SAS for a blob with 30days validity but the key rotation period I set is 3 days, then effectively the validity of the SAS would be 3 days or 30 days ?
PS: I asked this query in the MS doc but did not get a reply for this. That is why I am asking you good people of SO.
My question is, when the keys get rotated, would the SAS token previously served by the keyVault get invalidated ?
By default, the answer is yes, the keyvault will get invalidated.
If the SAS token is about to expire, we should get sasToken again from keyvault and update it.
More information about keyvault and storage account, please refer to this link.
For example, if I request a SAS for a blob with 30days validity but the key rotation period I set is 3 days, then effectively the validity of the SAS would be 3 days or 30 days ?
As far as I know, if we follow official article, the answer is 3 days.
We can use keyvault to manage Azure storage account, update storage account key or get storage account key.
For example, we can use this command Update-AzureKeyVaultManagedStorageAccountKey to update storage account key.
That's actually a bit more complicated than another answer presents. For starters, storage accounts have two storage account keys, both of which would give access to that account.
SAS tokens are derived from either of those keys. They will keep working until they expire on their own OR until they key they derived from is rotated (whichever is sooner).
Key vault managed storage accounts have a notion of "active key". Whenever you request a SAS token from KV, it will use currently active key to generate the SAS token it returns.
Whenever auto-rotation happens, KV will rotate the key that is NOT currently active and make it active key. The previously active key will become "inactive" but it will stay until next auto-rotation, which means that any SAS tokens generated before rotation will continue working until they expire or another rotation happens.
All that does not matter of course if you use Update-AzureKeyVaultManagedStorageAccountKey and rotate currently active key. In that case all previously produced SAS tokens will immediately become invalid.
So, as long as you stick to auto-rotation only AND the duration on your SAS tokens is less that auto-rotation period, SAS tokens should not get invalid because of storage key change.
