With regards to Azure Storage Accounts using SAS key, will the Splunk Add-on for Microsoft Cloud Services support situations where the SAS key is being rotated? I see only a field for a single SAS token.
Hi Pkeller, thanks for reporting this issue.
A quick question, what's your practice to configure SAS and how would you like the add-on to support that?
Is this the idea?
1. configure multiple SAS with different expiration date at one time in azure portal
2. store all SAS tokens generated and hope the add-on can rotate them at different time?
I think generating multiple SAS tokens for one time is not the best practice as mentioned below:
https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1
some other options:
1. generate a SAS token with no expiration date
2. as above bwu mentioned, update the SAS token when it's expired.
Kindly let me know your comments. Thanks!
The answer I received back from our SME's related to Azure are [inline]
A quick question, what's your practice to configure SAS and how would you like the add-on to support that?
We would like to configure one read only SAS token for each Access Key. As the Access Keys are rotated, the associated SAS token becomes invalid. If the add-on could support a pair of SAS tokens we would be able to rotate one key/token pair per maintenance cycle and not risk a service interruption.
Simply put if the add-on could support 2 tokens and had the logic build in to switch to the second key if the primary fails that would be optimal.
Is this the idea?
1. configure multiple SAS with different expiration date at one time in azure portal
No, one token per key.
2. store all SAS tokens generated and hope the add-on can rotate them at different time?
Yes, but they should rotate based on failure to connect/pull.
Many thanks for your help,
pkeller
thanks pkeller for the reply.
Regarding to the concept "one token per key", is it a security policy in your company?
It seems technically Access key and SAS token has nothing to do with each other. OTOH, The Add-on can use account name + access key or account name + SAS token to do the authentication.
It's recommend you to create a token with no expiration date or very future expiration date, does that make sense?
Hello, I'd like to add my voice to this as I am have the same concern as pkeller.
We don't have the luxury of setting SAS token expiry date 'far in the future' -- it needs to be less than 3 months. Our system is configured to generate a new SAS token one week before the current token expires.
pkeller's solution is a good idea --> If we can have two SAS tokens in each storage account config then when the first one expires/fails the second one will be attempted.
Another big concern is that we need to have a way to update SAS tokens without manually typing.
The Azure Monitor Add-on for Splunk, for instance, connects directly to a keyvault to retrieve SAS tokens -- this is a valuable feature.
When you configure an input to collect the data stored in Azure Storage, you need to choose one and only one storage account for this input. Each storage account will mapping one SAS key. So if your SAS key has expired or become invalid, you need to configure the Storage Account and type the valid SAS key.