az keyvault storage

Manage storage accounts.

Commands

az keyvault storage add

Creates or updates a new storage account.

az keyvault storage backup

Backs up the specified storage account.

az keyvault storage list

List storage accounts managed by the specified key vault.

az keyvault storage list-deleted

Lists deleted storage accounts for the specified vault.

az keyvault storage purge

Permanently deletes the specified storage account.

az keyvault storage recover

Recovers the deleted storage account.

az keyvault storage regenerate-key

Regenerates the specified key value for the given storage account.

az keyvault storage remove

Remove a Key Vault managed Azure Storage Account and all associated SAS definitions. This operation requires the storage/delete permission.

az keyvault storage restore

Restores a backed up storage account to a vault.

az keyvault storage sas-definition

Manage storage account SAS definitions.

az keyvault storage sas-definition create

Creates or updates a new SAS definition for the specified storage account.

az keyvault storage sas-definition delete

Deletes a SAS definition from a specified storage account.

az keyvault storage sas-definition list

List storage SAS definitions for the given storage account.

az keyvault storage sas-definition list-deleted

Lists deleted SAS definitions for the specified vault and storage account.

az keyvault storage sas-definition recover

Recovers the deleted SAS definition.

az keyvault storage sas-definition show

Gets information about a SAS definition for the specified storage account.

az keyvault storage sas-definition show-deleted

Gets the specified deleted sas definition.

az keyvault storage sas-definition update

Updates the specified attributes associated with the given SAS definition.

az keyvault storage show

Gets information about a specified storage account.

az keyvault storage show-deleted

Gets the specified deleted storage account.

az keyvault storage update

Updates the specified attributes associated with the given storage account.

az keyvault storage add

Creates or updates a new storage account.

az keyvault storage add --active-key-name
                        --name
                        --resource-id
                        --vault-name
                        [--auto-regenerate-key {false, true}]
                        [--disabled {false, true}]
                        [--regeneration-period]
                        [--tags]

Examples

Create a storage account and setup a vault to manage its keys

$id = az storage account create -g resourcegroup -n storageacct --query id

# assign the Azure Key Vault service the "Storage Account Key Operator Service Role" role. az role assignment create --role "Storage Account Key Operator Service Role" --scope $id \ --assignee cfa8b339-82a2-471a-a3c9-0fc0be7a4093

az keyvault storage add --vault-name vault -n storageacct --active-key-name key1    \ --auto-regenerate-key --regeneration-period P90D  --resource-id $id

Required Parameters

--active-key-name

Current active storage account key name.

--name -n

Name to identify the storage account in the vault.

--resource-id

Storage account resource id.

--vault-name

Name of the key vault.

Optional Parameters

--auto-regenerate-key

Whether keyvault should manage the storage account for the user.

accepted values: false, true
--disabled

Add the storage account in a disabled state.

accepted values: false, true
--regeneration-period

The key regeneration time duration specified in ISO-8601 format, such as "P30D" for rotation every 30 days.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

az keyvault storage backup

Backs up the specified storage account.

Requests that a backup of the specified storage account be downloaded to the client. This operation requires the storage/backup permission.

az keyvault storage backup --file
                           [--id]
                           [--name]
                           [--vault-name]

Required Parameters

--file -f

Local file path in which to store storage account backup.

Optional Parameters

--id

Id of the storage account. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the storage account in the vault. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage list

List storage accounts managed by the specified key vault.

This operation requires the storage/list permission.

az keyvault storage list --vault-name
                         [--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault storage list-deleted

Lists deleted storage accounts for the specified vault.

The Get Deleted Storage Accounts operation returns the storage accounts that have been deleted for a vault enabled for soft-delete. This operation requires the storage/list permission.

az keyvault storage list-deleted --vault-name
                                 [--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault storage purge

Permanently deletes the specified storage account.

The purge deleted storage account operation removes the secret permanently, without the possibility of recovery. This operation can only be performed on a soft-delete enabled vault. This operation requires the storage/purge permission.

az keyvault storage purge --name
                          --vault-name

Required Parameters

--name -n

Name to identify the storage account in the vault.

--vault-name

Name of the key vault.

az keyvault storage recover

Recovers the deleted storage account.

Recovers the deleted storage account in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the storage/recover permission.

az keyvault storage recover --name
                            --vault-name

Required Parameters

--name -n

Name to identify the storage account in the vault.

--vault-name

Name of the key vault.

az keyvault storage regenerate-key

Regenerates the specified key value for the given storage account.

This operation requires the storage/regeneratekey permission.

az keyvault storage regenerate-key --key-name
                                   [--id]
                                   [--name]
                                   [--vault-name]

Required Parameters

--key-name

The storage account key name.

Optional Parameters

--id

Id of the storage account. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the storage account in the vault. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage remove

Remove a Key Vault managed Azure Storage Account and all associated SAS definitions. This operation requires the storage/delete permission.

az keyvault storage remove [--id]
                           [--name]
                           [--vault-name]

Examples

Remove a Key Vault managed Azure Storage Account and all associated SAS definitions (autogenerated)

az keyvault storage remove --name MyStorageAccount --vault-name MyVault

Optional Parameters

--id

Id of the storage account. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the storage account in the vault. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage restore

Restores a backed up storage account to a vault.

Restores a backed up storage account to a vault. This operation requires the storage/restore permission.

az keyvault storage restore --file-path
                            --vault-name

Required Parameters

--file-path
--vault-name

Name of the key vault.

az keyvault storage show

Gets information about a specified storage account.

This operation requires the storage/get permission.

az keyvault storage show [--id]
                         [--name]
                         [--vault-name]

Optional Parameters

--id

Id of the storage account. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the storage account in the vault. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage show-deleted

Gets the specified deleted storage account.

The Get Deleted Storage Account operation returns the specified deleted storage account along with its attributes. This operation requires the storage/get permission.

az keyvault storage show-deleted --name
                                 --vault-name

Required Parameters

--name -n

Name to identify the storage account in the vault.

--vault-name

Name of the key vault.

az keyvault storage update

Updates the specified attributes associated with the given storage account.

This operation requires the storage/set/update permission.

az keyvault storage update [--active-key-name]
                           [--auto-regenerate-key {false, true}]
                           [--disabled {false, true}]
                           [--id]
                           [--name]
                           [--regeneration-period]
                           [--tags]
                           [--vault-name]

Optional Parameters

--active-key-name

The current active storage account key name.

--auto-regenerate-key

Whether keyvault should manage the storage account for the user.

accepted values: false, true
--disabled

Add the storage account in a disabled state.

accepted values: false, true
--id

Id of the storage account. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the storage account in the vault. Required if --id is not specified.

--regeneration-period

The key regeneration time duration specified in ISO-8601 format, such as "P30D" for rotation every 30 days.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the key vault. Required if --id is not specified.