azcopy loginazcopy login

登录到 Azure Active Directory 以访问 Azure 存储资源。Logs in to Azure Active Directory to access Azure Storage resources.


登录到 Azure Active Directory 以访问 Azure 存储资源。Log in to Azure Active Directory to access Azure Storage resources.

若要获得访问 Azure 存储帐户的授权,必须在存储帐户、父资源组或父订阅的上下文中为用户帐户分配“存储 Blob 数据参与者”角色。To be authorized to your Azure Storage account, you must assign the Storage Blob Data Contributor role to your user account in the context of either the Storage account, parent resource group, or parent subscription.

此命令会通过 OS 内置机制缓存当前用户的已加密登录信息。This command will cache encrypted login information for current user using the OS built-in mechanisms.


如果使用命令行设置环境变量,则可以在命令行历史记录中读取该变量。If you set an environment variable by using the command line, that variable will be readable in your command line history. 请考虑从命令行历史记录中清除包含凭据的变量。Consider clearing variables that contain credentials from your command line history. 若要防止变量出现在历史记录中,可以使用脚本提示用户输入凭据,并设置环境变量。To keep variables from appearing in your history, you can use a script to prompt the user for their credentials, and to set the environment variable.

azcopy login [flags] --aad-endpoint


将默认的 AAD 租户 ID 设置为常用 ID,以交互方式登录:Log in interactively with default AAD tenant ID set to common:

azcopy login --aad-endpoint

使用指定的租户 ID 以交互方式登录:Log in interactively with a specified tenant ID:

azcopy login --tenant-id "[TenantID]" --aad-endpoint

使用虚拟机 (VM) 的系统分配标识登录:Log in by using the system-assigned identity of a Virtual Machine (VM):

azcopy login --identity --aad-endpoint

使用 VM 的用户分配标识和服务标识的客户端 ID 登录:Log in by using the user-assigned identity of a VM and a Client ID of the service identity:

azcopy login --identity --identity-client-id "[ServiceIdentityClientID]" --aad-endpoint

使用 VM 的用户分配标识和服务标识的对象 ID 登录:Log in by using the user-assigned identity of a VM and an Object ID of the service identity:

azcopy login --identity --identity-object-id "[ServiceIdentityObjectID]" --aad-endpoint

使用 VM 的用户分配标识和服务标识的资源 ID 登录:Log in by using the user-assigned identity of a VM and a Resource ID of the service identity:

azcopy login --identity --identity-resource-id "/subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID" --aad-endpoint

使用客户端机密以服务主体身份登录:将环境变量 AZCOPY_SPA_CLIENT_SECRET 设置为客户端机密,以便进行基于机密的服务主体身份验证。Log in as a service principal by using a client secret: Set the environment variable AZCOPY_SPA_CLIENT_SECRET to the client secret for secret based service principal auth.

azcopy login --service-principal --application-id <your service principal's application ID> --aad-endpoint

使用证书和密码以服务主体身份登录:Log in as a service principal by using a certificate and it's password:

将环境变量 AZCOPY_SPA_CERT_PASSWORD 设置为证书的密码,以便进行基于证书的服务主体授权:Set the environment variable AZCOPY_SPA_CERT_PASSWORD to the certificate's password for cert-based service principal auth:

azcopy login --service-principal --certificate-path /path/to/my/cert --application-id <your service principal's application ID> --aad-endpoint

/path/to/my/cert 视为 PEM 或 PKCS12 文件的路径。Treat /path/to/my/cert as a path to a PEM or PKCS12 file. AzCopy 不会到系统证书存储中获取你的证书。AzCopy does not reach into the system cert store to obtain your certificate.

进行基于证书的服务主体身份验证时,--certificate-path 是必需的。--certificate-path is mandatory when doing cert-based service principal auth.


“--aad-endpoint”字符串要使用的 Azure Active Directory 终结点。--aad-endpoint string The Azure Active Directory endpoint to use. 默认值 ( 适用于公共 Azure 云。The default ( is correct for the public Azure cloud. 在国家云中进行身份验证时设置此参数。Set this parameter when authenticating in a national cloud. 托管服务标识不需要。Not needed for Managed Service Identity.

“--application-id”字符串 - 用户分配标识的应用程序 ID。--application-id string Application ID of user-assigned identity. 服务主体身份验证所需。Required for service principal auth.

“--certificate-path”字符串 - 用于 SPN 身份验证的证书的路径。--certificate-path string Path to certificate for SPN authentication. 基于证书的服务主体身份验证所需。Required for certificate-based service principal auth.

“--help” - 获取 azcopy login 命令的帮助。--help help for the azcopy login command.

“--identity” - 使用虚拟机的标识(也称托管服务标识 (MSI))登录。--identity Login using virtual machine's identity, also known as managed service identity (MSI).

“--identity-id”字符串 - 用户分配的标识的客户端 ID。--identity-client-id string Client ID of user-assigned identity.

“--identity-object-id”字符串 - 用户分配的标识的对象 ID。--identity-object-id string Object ID of user-assigned identity.

“--identity-resource-id”字符串 - 用户分配的标识的资源 ID。--identity-resource-id string Resource ID of user-assigned identity.

“--service-principal”- 使用证书或机密通过服务主体名称 (SPN) 登录。--service-principal Log in via Service Principal Name (SPN) by using a certificate or a secret. 客户端机密或证书密码必须置于相应的环境变量中。The client secret or certificate password must be placed in the appropriate environment variable. 键入 AzCopy env 即可查看环境变量的名称和说明。Type AzCopy env to see names and descriptions of environment variables.

“--tenant-id”字符串 - Azure Active Directory 目录 ID,用于 OAuth 设备交互式登录。--tenant-id string The Azure Active Directory tenant ID to use for OAuth device interactive login.

从父命令继承的选项Options inherited from parent commands

选项Option 说明Description
--cap-mbps float--cap-mbps float 以兆位/秒为单位限制传输速率。Caps the transfer rate, in megabits per second. 瞬间吞吐量可能与上限略有不同。Moment-by-moment throughput might vary slightly from the cap. 如果此选项设置为零,或者省略,则吞吐量不受限制。If this option is set to zero, or it is omitted, the throughput isn't capped.
--output-type string--output-type string 命令输出的格式。Format of the command's output. 选项包括:text、json。The choices include: text, json. 默认值为“text”。The default value is "text".
--trusted-microsoft-suffixes 字符串--trusted-microsoft-suffixes string 指定可在其中发送 Azure Active Directory 登录令牌的其他域后缀。Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. 默认值为“;;;” 。The default is ';;;'. 此处列出的任何内容都会添加到默认值。Any listed here are added to the default. 为安全起见,应只在此处放置 Azure 域。For security, you should only put Azure domains here. 用分号分隔多个条目。Separate multiple entries with semi-colons.

另请参阅See also