az storage blob access

  • Preview
  • Deprecated
  • Reference

Note

This reference is part of the storage-preview extension for the Azure CLI (version 2.50.0 or higher). The extension will automatically install the first time you run an az storage blob access command. Learn more about extensions.

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

This command group has been deprecated and will be removed in future release. Use 'az storage fs access' instead. For more information go to https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/storage/docs/ADLS%20Gen2.md

Manage the access control properties of a blob when Hierarchical Namespace is enabled.

Commands

Name Description Type Status
az storage blob access set

Set the access control properties of a blob.

 Extension Preview and Deprecated
az storage blob access show

Show the access control properties of a blob.

 Extension Preview and Deprecated
az storage blob access update

Update the access control properties of a blob.

 Extension Preview and Deprecated

az storage blob access set

Preview Deprecated

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

This command is implicitly deprecated because command group 'storage blob access' is deprecated and will be removed in a future release. Use 'az storage fs access' instead.

Set the access control properties of a blob.

az storage blob access set --acl-spec
                           --blob-name
                           --container-name
                           [--account-key]
                           [--account-name]
                           [--auth-mode {key, login}]
                           [--connection-string]
                           [--if-match]
                           [--if-modified-since]
                           [--if-none-match]
                           [--if-unmodified-since]
                           [--lease-id]
                           [--sas-token]
                           [--timeout]

Examples

Set the access control properties of a blob.

az storage blob access set -a "user::rwx,group::r--,other::---" -b MyBlob -c MyContainer --account-name MyStorageAccount

Required Parameters

--acl-spec -a

The ACL specification to set on the path in the format "[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,...". e.g."user::rwx,user:john.doe@contoso:rwx,group::r--,other::---,mask::rwx".

--blob-name -b

The blob name.

--container-name -c

The container name.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

accepted values: key, login
--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--if-match

An ETag value. Specify this header to perform the operation only if the resource's ETag matches the value specified. The ETag must be specified in quotes.

--if-modified-since

Alter only if modified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--if-none-match

An ETag value or the special wildcard ("*") value. Specify this header to perform the operation only if the resource's ETag does not match the value specified. The ETag must be specified in quotes.

--if-unmodified-since

Alter only if unmodified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--lease-id

Required if the path has an active lease.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage blob access show

Preview Deprecated

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

This command is implicitly deprecated because command group 'storage blob access' is deprecated and will be removed in a future release. Use 'az storage fs access' instead.

Show the access control properties of a blob.

az storage blob access show --blob-name
                            --container-name
                            [--account-key]
                            [--account-name]
                            [--auth-mode {key, login}]
                            [--connection-string]
                            [--if-match]
                            [--if-modified-since]
                            [--if-none-match]
                            [--if-unmodified-since]
                            [--lease-id]
                            [--sas-token]
                            [--timeout]
                            [--user-principle-names]

Examples

Show the access control properties of a blob.

az storage blob access show -b MyBlob -c MyContainer --account-name MyStorageAccount

Required Parameters

--blob-name -b

The blob name.

--container-name -c

The container name.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

accepted values: key, login
--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--if-match

An ETag value. Specify this header to perform the operation only if the resource's ETag matches the value specified. The ETag must be specified in quotes.

--if-modified-since

Alter only if modified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--if-none-match

An ETag value or the special wildcard ("*") value. Specify this header to perform the operation only if the resource's ETag does not match the value specified. The ETag must be specified in quotes.

--if-unmodified-since

Alter only if unmodified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--lease-id

Required if the path has an active lease.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

--user-principle-names

Valid only when Hierarchical Namespace is enabled for the account. If "true", the user identity values returned for owner, group, and acl will be transformed from Azure Active Directory Object IDs to User Principal Names. If "false", the values will be returned as Azure Active Directory Object IDs. The default value is false. Note that group and application Object IDs are not translated because they do not have unique friendly names.

default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage blob access update

Preview Deprecated

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

This command is implicitly deprecated because command group 'storage blob access' is deprecated and will be removed in a future release. Use 'az storage fs access' instead.

Update the access control properties of a blob.

az storage blob access update --blob-name
                              --container-name
                              [--account-key]
                              [--account-name]
                              [--acl-spec]
                              [--auth-mode {key, login}]
                              [--connection-string]
                              [--group]
                              [--if-match]
                              [--if-modified-since]
                              [--if-none-match]
                              [--if-unmodified-since]
                              [--lease-id]
                              [--owner]
                              [--permissions]
                              [--sas-token]
                              [--timeout]

Examples

Update the access permissions of a blob.

az storage blob access update --permissions "rwxrwxrwx" -b MyBlob -c MyContainer --account-name MyStorageAccount

Update the owning user of a blob.

az storage blob access update --owner [entityId/UPN] -b MyBlob -c MyContainer --account-name MyStorageAccount

Update the owning group of a blob.

az storage blob access update --group [entityId/UPN] -b MyBlob -c MyContainer --account-name MyStorageAccount

Required Parameters

--blob-name -b

The blob name.

--container-name -c

The container name.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--acl-spec -a

The ACL specification to set on the path in the format "[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,...". e.g."user::rwx,user:john.doe@contoso:rwx,group::r--,other::---,mask::rwx".

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

accepted values: key, login
--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--group

The owning group for the directory.

--if-match

An ETag value. Specify this header to perform the operation only if the resource's ETag matches the value specified. The ETag must be specified in quotes.

--if-modified-since

Alter only if modified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--if-none-match

An ETag value or the special wildcard ("*") value. Specify this header to perform the operation only if the resource's ETag does not match the value specified. The ETag must be specified in quotes.

--if-unmodified-since

Alter only if unmodified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--lease-id

Required if the path has an active lease.

--owner

The owning user for the directory.

--permissions

The POSIX access permissions for the file owner,the file owning group, and others. Both symbolic (rwxrw-rw-) and 4-digit octal notation (e.g. 0766) are supported.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.