az storage blob access

Manage the access control properties of a blob when Hierarchical Namespace is enabled.

Commands

az storage blob access set

Set the access control properties of a blob.

az storage blob access show

Show the access control properties of a blob.

az storage blob access update

Update the access control properties of a blob.

az storage blob access set

Set the access control properties of a blob.

az storage blob access set --acl-spec
                           --blob-name
                           --container-name
                           [--account-key]
                           [--account-name]
                           [--auth-mode {key, login}]
                           [--connection-string]
                           [--if-match]
                           [--if-modified-since]
                           [--if-none-match]
                           [--if-unmodified-since]
                           [--lease-id]
                           [--sas-token]
                           [--timeout]

Examples

Set the access control properties of a blob.

az storage blob access set -a "user::rwx,group::r--,other::---" -b MyBlob -c MyContainer --account-name MyStorageAccount

Required Parameters

--acl-spec -a

The ACL specification to set on the path in the format "[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,...". e.g."user::rwx,user:john.doe@contoso:rwx,group::r--,other::---,mask::rwx".

--blob-name -b

The blob name.

--container-name -c

The container name.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

accepted values: key, login
--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--if-match

An ETag value. Specify this header to perform the operation only if the resource's ETag matches the value specified. The ETag must be specified in quotes.

--if-modified-since

Alter only if modified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--if-none-match

An ETag value or the special wildcard ("*") value. Specify this header to perform the operation only if the resource's ETag does not match the value specified. The ETag must be specified in quotes.

--if-unmodified-since

Alter only if unmodified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--lease-id

Required if the path has an active lease.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

az storage blob access show

Show the access control properties of a blob.

az storage blob access show --blob-name
                            --container-name
                            [--account-key]
                            [--account-name]
                            [--auth-mode {key, login}]
                            [--connection-string]
                            [--if-match]
                            [--if-modified-since]
                            [--if-none-match]
                            [--if-unmodified-since]
                            [--lease-id]
                            [--sas-token]
                            [--timeout]
                            [--user-principle-names]

Examples

Show the access control properties of a blob.

az storage blob access show -b MyBlob -c MyContainer --account-name MyStorageAccount

Required Parameters

--blob-name -b

The blob name.

--container-name -c

The container name.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

accepted values: key, login
--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--if-match

An ETag value. Specify this header to perform the operation only if the resource's ETag matches the value specified. The ETag must be specified in quotes.

--if-modified-since

Alter only if modified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--if-none-match

An ETag value or the special wildcard ("*") value. Specify this header to perform the operation only if the resource's ETag does not match the value specified. The ETag must be specified in quotes.

--if-unmodified-since

Alter only if unmodified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--lease-id

Required if the path has an active lease.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

--user-principle-names

Valid only when Hierarchical Namespace is enabled for the account. If "true", the user identity values returned for owner, group, and acl will be transformed from Azure Active Directory Object IDs to User Principal Names. If "false", the values will be returned as Azure Active Directory Object IDs. The default value is false. Note that group and application Object IDs are not translated because they do not have unique friendly names.

az storage blob access update

Update the access control properties of a blob.

az storage blob access update --blob-name
                              --container-name
                              [--account-key]
                              [--account-name]
                              [--acl-spec]
                              [--auth-mode {key, login}]
                              [--connection-string]
                              [--group]
                              [--if-match]
                              [--if-modified-since]
                              [--if-none-match]
                              [--if-unmodified-since]
                              [--lease-id]
                              [--owner]
                              [--permissions]
                              [--sas-token]
                              [--timeout]

Examples

Update the access permissions of a blob.

az storage blob access update --permissions "rwxrwxrwx" -b MyBlob -c MyContainer --account-name MyStorageAccount

Update the owning user of a blob.

az storage blob access update --owner [entityId/UPN] -b MyBlob -c MyContainer --account-name MyStorageAccount

Update the owning group of a blob.

az storage blob access update --group [entityId/UPN] -b MyBlob -c MyContainer --account-name MyStorageAccount

Required Parameters

--blob-name -b

The blob name.

--container-name -c

The container name.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--acl-spec -a

The ACL specification to set on the path in the format "[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,[default:]user|group|other|mask:[entity id or UPN]:r|-w|-x|-,...". e.g."user::rwx,user:john.doe@contoso:rwx,group::r--,other::---,mask::rwx".

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

accepted values: key, login
--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--group

The owning group for the directory.

--if-match

An ETag value. Specify this header to perform the operation only if the resource's ETag matches the value specified. The ETag must be specified in quotes.

--if-modified-since

Alter only if modified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--if-none-match

An ETag value or the special wildcard ("*") value. Specify this header to perform the operation only if the resource's ETag does not match the value specified. The ETag must be specified in quotes.

--if-unmodified-since

Alter only if unmodified since supplied UTC datetime (Y-m-d'T'H:M'Z').

--lease-id

Required if the path has an active lease.

--owner

The owning user for the directory.

--permissions

The POSIX access permissions for the file owner,the file owning group, and others. Both symbolic (rwxrw-rw-) and 4-digit octal notation (e.g. 0766) are supported.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.