You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/authorize-data-operations-cli.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Authorize access to blob or queue data with Azure CLI
3
3
titleSuffix: Azure Storage
4
-
description: Azure CLI supports signing in with Azure AD credentials to run commands on Azure Storage blob and queue data. An access token is provided for the session and used to authorize calling operations. Permissions depend on the RBAC role assigned to the Azure AD security principal.
4
+
description: Specify how to authorize data operations against blob or queue data with the Azure CLI. You can authorize data operations using Azure AD credentials, with the account access key, or with a shared access signature (SAS) token.
5
5
services: storage
6
6
author: tamram
7
7
@@ -29,6 +29,9 @@ Azure CLI commands for reading and writing blob and queue data include the optio
29
29
30
30
To use the `--auth-mode` parameter, make sure that you have installed Azure CLI version 2.0.46 or later. Run `az --version` to check your installed version.
31
31
32
+
> [!IMPORTANT]
33
+
> Microsoft recommends that you explicitly specify how each data operation is to be authorized. You can either provide the `--auth-mode` parameter for every data operation, or you can specify the appropriate authorization parameters in environment variables as described in the section titled [Set environment variables for authorization parameters](#set-environment-variables-for-authorization-parameters). If you do not specify how a data operation is to be authorized, then the Azure CLI attempts to call the Azure Storage resource provider to retrieve the account access keys for each operation. Performing many data operations that require a call to the resource provider may result in throttling. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](scalability-targets-resource-provider.md)
34
+
32
35
## Authorize with Azure AD credentials
33
36
34
37
When you sign in to Azure CLI with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by Azure CLI to authorize subsequent data operations against Blob or Queue storage. For supported operations, you no longer need to pass an account key or SAS token with the command.
@@ -63,12 +66,13 @@ The following example shows how to create a container from Azure CLI using your
63
66
64
67
If you possess the account key, you can call any Azure Storage data operation. In general, using the account key is less secure. If the account key is compromised, all data in your account may be compromised.
65
68
66
-
The following example shows how to create a container using the account access key:
69
+
The following example shows how to create a container using the account access key. Specify the account key, and provide the `--auth-mode` parameter with the `key` value:
67
70
68
71
```azurecli
69
72
az storage container create \
70
73
--account-name <storage-account> \
71
74
--name sample-container \
75
+
--account-key <key>
72
76
--auth-mode key
73
77
```
74
78
@@ -89,11 +93,11 @@ You can specify authorization parameters in environment variables to avoid inclu
| AZURE_STORAGE_ACCOUNT | The storage account name. This variable must be used in conjunction with either the storage account key or a SAS token. If neither are present, the command will attempt to query the storage account key using the authenticated Azure AD account. If a large number of storage commands are executed at one time, the API throttling limit may be reached. |
96
+
| AZURE_STORAGE_ACCOUNT | The storage account name. This variable should be used in conjunction with either the storage account key or a SAS token. If neither are present, the Azure CLI attempts to retrieve the storage account access key by using the authenticated Azure AD account. If a large number of commands are executed at one time, the Azure Storage resource provider throttling limit may be reached. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](scalability-targets-resource-provider.md). |
93
97
| AZURE_STORAGE_KEY | The storage account key. This variable must be used in conjunction with the storage account name. |
94
-
| AZURE_STORAGE_CONNECTION_STRING | A connection string that includes the storage account key or a SAS token. This variable must be used in conjunction with the storage account name. |
98
+
| AZURE_STORAGE_CONNECTION_STRING | A connection string that includes the storage account key or a SAS token. This variable must be used in conjunction with the storage account name. |
95
99
| AZURE_STORAGE_SAS_TOKEN | A shared access signature (SAS) token. This variable must be used in conjunction with the storage account name. |
96
-
| AZURE_STORAGE_AUTH_MODE | The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI will use your Azure AD credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI will attempt to query for the account access key and authorize the command with the key. |
100
+
| AZURE_STORAGE_AUTH_MODE | The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI uses your Azure AD credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI attempts to query for the account access key and to authorize the command with the key. |
0 commit comments