Azure Storage Account Keys are similar to the root password, allowing full access to Azure Storage Accounts.

If the application interacts with Azure Cloud Storage services, access keys should be secured and not be disclosed.

Recommended Secure Coding Practices

Only administrators should have access to storage account keys. To authorize an application to access an Azure Storage, it’s recommended to create a service principal and assign it the required privileges only. Azure Identity SDK provides several options such as DefaultAzureCredential that can be used to retrieve secrets from, for instance, environment variables.

Storage account keys should not be stored with the application code or saved anywhere in plain text accessible to others. Consider using an Azure Key Vault to store and manage keys.

When credentials are disclosed in the application code, consider them as compromised and rotate them immediately.

See

• OWASP Top 10 2021 Category A7 - Identification and Authentication Failures
• docs.microsoft.com - Manage storage account access keys
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• MITRE, CWE-798 - Use of Hard-coded Credentials
• MITRE, CWE-259 - Use of Hard-coded Password
• SANS Top 25 - Porous Defenses