i recently ran into a scenario where we found the primary storage account key was being logged in telemetry, so we needed to roll the keys (switch dependent services to use the second key, which i could accomplish with pulumi -- but then i couldn't finish up by regenerating the first key)