az storage fs access
Manage file system access and permissions for Azure Data Lake Storage Gen2 account.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az storage fs access remove-recursive |
Remove the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account. |
Core | GA |
| az storage fs access set |
Set the access control properties of a path(directory or file) in Azure Data Lake Storage Gen2 account. |
Core | GA |
| az storage fs access set-recursive |
Set the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account. |
Core | GA |
| az storage fs access show |
Show the access control properties of a path (directory or file) in Azure Data Lake Storage Gen2 account. |
Core | GA |
| az storage fs access update-recursive |
Modify the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account. |
Core | GA |
az storage fs access remove-recursive
Remove the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.
az storage fs access remove-recursive --acl
--file-system
--path
[--account-key]
[--account-name]
[--auth-mode {key, login}]
[--batch-size]
[--blob-endpoint]
[--connection-string]
[--continuation]
[--continue-on-failure {false, true}]
[--max-batches]
[--sas-token]
[--timeout]Examples
Remove the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.
az storage fs access remove-recursive --acl "default:user:21cd756e-e290-4a26-9547-93e8cc1a8923" -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000Required Parameters
Remove POSIX access control rights on files and directories. The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, and a user or group identifier in the format "[scope:][type]:[id]".
File system name (i.e. container name).
The path to a file or directory in the specified file system.
Optional Parameters
Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.
Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.
The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.
Optional. If data set size exceeds batch size then operation will be split into multiple requests so that progress can be tracked. Batch size should be between 1 and 2000. The default when unspecified is 2000.
Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.
Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.
Optional continuation token that can be used to resume previously stopped operation.
If set to False, the operation will terminate quickly on encountering user errors (4XX). If True, the operation will ignore user errors and proceed with the operation on other sub-entities of the directory. Continuation token will only be returned when --continue-on-failure is True in case of user errors. If not set the default value is False for this.
Optional. Define maximum number of batches that single change Access Control operation can execute. If maximum is reached before all sub-paths are processed, then continuation token can be used to resume operation. Empty value indicates that maximum number of batches in unbound and operation continues till end.
A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.
Request timeout in seconds. Applies to each call to the service.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az storage fs access set
Set the access control properties of a path(directory or file) in Azure Data Lake Storage Gen2 account.
az storage fs access set --file-system
--path
[--account-key]
[--account-name]
[--acl]
[--auth-mode {key, login}]
[--blob-endpoint]
[--connection-string]
[--group]
[--owner]
[--permissions]
[--sas-token]Examples
Set the access control list of a path.
az storage fs access set --acl "user::rwx,group::r--,other::---" -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000Set permissions of a path.
az storage fs access set --permissions "rwxrwx---" -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000Set owner of a path.
az storage fs access set --owner example@microsoft.com -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000Set owning group of a path.
az storage fs access set --group 68390a19-a897-236b-b453-488abf67b4dc -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000Required Parameters
File system name (i.e. container name).
The path to a file or directory in the specified file system.
Optional Parameters
Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.
Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.
Invalid in conjunction with acl. POSIX access control rights on files and directories in the format "[scope:][type]:[id]:[permissions]". e.g. "user::rwx,group::r--,other::---,mask::rwx".
The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, a user or group identifier, and permissions in the format "[scope:][type]:[id]:[permissions]". The scope must be "default" to indicate the ACE belongs to the default ACL for a directory; otherwise scope is implicit and the ACE belongs to the access ACL. There are four ACE types: "user" grants rights to the owner or a named user, "group" grants rights to the owning group or a named group, "mask" restricts rights granted to named users and the members of groups, and "other" grants rights to all users not found in any of the other entries. The user or group identifier is omitted for entries of type "mask" and "other". The user or group identifier is also omitted for the owner and owning group. For example, the following ACL grants read, write, and execute rights to the file owner an john.doe@contoso, the read right to the owning group, and nothing to everyone else: "user::rwx,user:john.doe@contoso:rwx,group::r--,other::---,mask::rwx". For more information, please refer to https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control.
The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.
Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.
Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.
The owning group of the file or directory. The group Azure Active Directory object ID or user principal name to set as the owning group. For more information, please refer to https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#changing-the-owning-group.
The owning user of the file or directory. The user Azure Active Directory object ID or user principal name to set as the owner. For more information, please refer to https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#the-owning-user.
Invalid in conjunction with acl. POSIX access permissions for the file owner, the file owning group, and others. Each class may be granted read(r), write(w), or execute(x) permission. Both symbolic (rwxrw-rw-) and 4-digit octal notation (e.g. 0766) are supported.'.
A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az storage fs access set-recursive
Set the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.
az storage fs access set-recursive --acl
--file-system
--path
[--account-key]
[--account-name]
[--auth-mode {key, login}]
[--batch-size]
[--blob-endpoint]
[--connection-string]
[--continuation]
[--continue-on-failure {false, true}]
[--max-batches]
[--sas-token]
[--timeout]Examples
Set the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.
az storage fs access set-recursive --acl "default:user:21cd756e-e290-4a26-9547-93e8cc1a8923:rwx" -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000Required Parameters
The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, a user or group identifier, and permissions in the format "[scope:][type]:[id]:[permissions]". For more information, please refer to https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control.
File system name (i.e. container name).
The path to a file or directory in the specified file system.
Optional Parameters
Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.
Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.
The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.
Optional. If data set size exceeds batch size then operation will be split into multiple requests so that progress can be tracked. Batch size should be between 1 and 2000. The default when unspecified is 2000.
Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.
Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.
Optional continuation token that can be used to resume previously stopped operation.
If set to False, the operation will terminate quickly on encountering user errors (4XX). If True, the operation will ignore user errors and proceed with the operation on other sub-entities of the directory. Continuation token will only be returned when --continue-on-failure is True in case of user errors. If not set the default value is False for this.
Optional. Define maximum number of batches that single change Access Control operation can execute. If maximum is reached before all sub-paths are processed, then continuation token can be used to resume operation. Empty value indicates that maximum number of batches in unbound and operation continues till end.
A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.
Request timeout in seconds. Applies to each call to the service.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az storage fs access show
Show the access control properties of a path (directory or file) in Azure Data Lake Storage Gen2 account.
az storage fs access show --file-system
--path
[--account-key]
[--account-name]
[--auth-mode {key, login}]
[--blob-endpoint]
[--connection-string]
[--sas-token]Examples
Show the access control properties of a path.
az storage fs access show -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000Required Parameters
File system name (i.e. container name).
The path to a file or directory in the specified file system.
Optional Parameters
Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.
Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.
The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.
Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.
Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.
A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az storage fs access update-recursive
Modify the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.
az storage fs access update-recursive --acl
--file-system
--path
[--account-key]
[--account-name]
[--auth-mode {key, login}]
[--batch-size]
[--blob-endpoint]
[--connection-string]
[--continuation]
[--continue-on-failure {false, true}]
[--max-batches]
[--sas-token]
[--timeout]Examples
Modify the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.
az storage fs access update-recursive --acl "user::r-x" -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000Required Parameters
The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, a user or group identifier, and permissions in the format "[scope:][type]:[id]:[permissions]". For more information, please refer to https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control.
File system name (i.e. container name).
The path to a file or directory in the specified file system.
Optional Parameters
Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.
Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.
The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.
Optional. If data set size exceeds batch size then operation will be split into multiple requests so that progress can be tracked. Batch size should be between 1 and 2000. The default when unspecified is 2000.
Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.
Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.
Optional continuation token that can be used to resume previously stopped operation.
If set to False, the operation will terminate quickly on encountering user errors (4XX). If True, the operation will ignore user errors and proceed with the operation on other sub-entities of the directory. Continuation token will only be returned when --continue-on-failure is True in case of user errors. If not set the default value is False for this.
Optional. Define maximum number of batches that single change Access Control operation can execute. If maximum is reached before all sub-paths are processed, then continuation token can be used to resume operation. Empty value indicates that maximum number of batches in unbound and operation continues till end.
A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.
Request timeout in seconds. Applies to each call to the service.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for