Does anyone have a good solution for updating Azure storage account keys throughout ArcGIS Enterprise?
The recommended architecture from Esri for serving raster data in an Azure environment is an ImageServer that connects to Azure | Storage Account | Blob Storage.
Our initial attempt at registering the Data Stores on the ImageServer (Azure Cloud Store + Raster Store) was to use a User-Assigned Managed Identity (UAMI), but that was stopped due to a bug in ArcGIS Server Manager (BUG-000173604). Using a UAMI would have prevented the need to rotate access keys.
In lieu of using a UAMI to authenticate, we moved to access keys. To test this approach, we added a raster to blob storage and then connected to that in ArcGIS Pro via an ACS file that authenticates using the blob storage access key. We registered the Data Store on Image Server (Azure Cloud Store + Raster Store) via the same access key. We then published the raster as an Imagery Layer. The layer works.
To maintain security, access keys must be periodically rotated. To test rotating the key, we first rotated the key in Azure. We checked results for the Data Store and the Imagery Layer, and as expected, the Data Store no longer validated and the Imagery Layer stopped drawing.
Next we updated the key in the Data Store. This resulted in the Data Store validating again. However, it did not resolve the Imagery Layer failing to draw. To resolve the Imagery Layer failing to draw, we had to update the access key in the ACS file and republish the service.
It seems that the services are tied to the credentials provided in the ACS file and not the credentials in the Data Store. We will serve dozens of raster files across as many services in our ImageServer. Having to update the ACS file and republish all of them each time we rotate the access key seems horribly inefficient, potentially error prone, and will certainly result in downtime for the services.
Is there a way to publish these datasets so they are referencing the credentials stored in the Data Store instead of what is in the ACS file? That would mean we only need to change the access key in the Data Store after we rotate the key in Azure and we could avoid having to republish all of the services. If not, what is the recommended approach for updating keys throughout ArcGIS Enterprise?
Esri Support found that if the services are "restarted" (stopped, started), that refreshes the connection to the new key in the data store. This means the services do not need to be republished, which is better. However, it does mean all of the services have to be restarted, which is still challenging to manage. ENH-000174477 suggests to have ArcGIS Server automatically restart services when the access key is updated on the data store.