Use Azure CLI for resource lock operations on Azure Cosmos DB for Table tables
APPLIES TO: Table
The script in this article demonstrates performing resource lock operations for a API for Table table.
To enable resource locking, the Azure Cosmos DB account must have the
disableKeyBasedMetadataWriteAccess property enabled. This property prevents any changes to resources from clients that connect via account keys, such as the Azure Cosmos DB Table SDK, Azure Storage Table SDK, or Azure portal. For more information, see Preventing changes from SDKs.
You need an Azure Cosmos DB for Table account, database, and table created. If you don't have an Azure subscription, create an Azure free account before you begin.
To create or delete resource locks, you must have the Owner role in your Azure subscription.
This script requires Azure CLI version 2.12.1 or later.
You can run the script in the Bash environment in Azure Cloud Shell. When Cloud Shell opens, make sure Bash appears in the environment field at the upper left of the shell window. Cloud Shell always has the latest version of Azure CLI.
Cloud Shell is automatically authenticated under the account you used to sign in to the Azure portal. You can use az account set to sign in with a different subscription, replacing
<subscriptionId>with your Azure subscription ID.
subscription="<subscriptionId>" # add subscription here az account set -s $subscription # ...or use 'az login'
If you prefer, you can install Azure CLI to run the script locally. Run az version to find the Azure CLI version and dependent libraries that are installed, and run az upgrade if you need to upgrade. If prompted, install Azure CLI extensions. If you're running Windows or macOS, consider running Azure CLI in a Docker container.
The following script uses Azure CLI az lock commands to manipulate resource locks on your Azure Cosmos DB for Table table. The script needs the
account name, and
table name for the Azure Cosmos DB account and table you created.
- az lock create creates a
CanNotDeleteresource lock on the table.
- az lock list lists all the lock information for your Azure Cosmos DB Table account.
- az lock delete uses az lock show to get the
idof the lock on your table, and then uses the
lockidproperty to delete the lock.
# Resource lock operations for a Table API table # Subscription owner permissions required for this script # Run this script after running # "https://docs.microsoft.com/azure/cosmos-db/scripts/cli/table/create#sample-script" # Variable block # Use values from prerequisite script or from your environment # resourceGroup="your resource group name" # account="your account name" # table="your table name" lockType='CanNotDelete' # CanNotDelete or ReadOnly tableParent="databaseAccounts/$account" tableResourceType="Microsoft.DocumentDB/tables" tableLock='$table-Lock' # Create a delete lock on table echo "Creating $lockType lock on $table" az lock create --name $tableLock --resource-group $resourceGroup --resource-type $tableResourceType --lock-type $lockType --parent $tableParent --resource $table # List all locks on a Cosmos account echo "Listing locks on $account" az lock list --resource-group $resourceGroup --resource-name $account --namespace Microsoft.DocumentDB --resource-type databaseAccounts # Delete lock on table echo "Deleting $tableLock on $table" lockid=$(az lock show --name $tableLock --resource-group $resourceGroup --resource-type $tableResourceType --resource $table --parent $tableParent --output tsv --query id) az lock delete --ids $lockid
Clean up resources
If you no longer need the resources you created, use the az group delete command to delete the resource group and all resources it contains. These resources include the Azure Cosmos DB account and table. The resources might take a while to delete.
az group delete --name $resourceGroup