Merge pull request #105935 from tamram/tamram-0227a

megvanhuygen · web-flow · commit 353c6f837519 · 2020-02-28T15:26:11.000-08:00
adding environment var info to CLI auth content
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -25893,6 +25893,11 @@
       "redirect_url": "/azure/storage/common/storage-account-create",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/storage/common/authorize-active-directory-cli.md",
+      "redirect_url": "/azure/storage/common/authorize-data-operations-cli",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/storage/common/storage-account-manage.md",
       "redirect_url": "/azure/storage/common/storage-account-keys-manage",
diff --git a/articles/storage/blobs/TOC.yml b/articles/storage/blobs/TOC.yml
@@ -284,7 +284,7 @@
           - name: PowerShell
             href: ../common/authorize-active-directory-powershell.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
           - name: Azure CLI
-            href: ../common/authorize-active-directory-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+            href: ../common/authorize-data-operations-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
         - name: Manage access rights with RBAC
           items:
           - name: Portal
diff --git a/articles/storage/blobs/storage-quickstart-blobs-cli.md b/articles/storage/blobs/storage-quickstart-blobs-cli.md
@@ -24,7 +24,7 @@ The Azure CLI is Azure's command-line experience for managing Azure resources. Y
 
 [!INCLUDE [cloud-shell-try-it.md](../../../includes/cloud-shell-try-it.md)]
 
-## Use the Azure CLI locally
+## Install the Azure CLI locally
 
 If you choose to install and use the Azure CLI locally, this quickstart requires that you are running the Azure CLI version 2.0.46 or later. Run `az --version` to determine your version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
 
@@ -34,11 +34,13 @@ If you are running the Azure CLI locally, you must log in and authenticate. This
 az login
 ```
 
+For more information about authentication` with Azure CLI, see [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli).
+
 ## Authorize access to Blob storage
 
 You can authorize access to Blob storage from the Azure CLI either with Azure AD credentials or by using the storage account access key. Using Azure AD credentials is recommended. This article shows how to authorize Blob storage operations using Azure AD.
 
-Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Azure AD credentials. For more information, see [Run Azure CLI commands with Azure AD credentials to access blob or queue data](../common/authorize-active-directory-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json).
+Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Azure AD credentials. For more information, see [Authorize access to blob or queue data with Azure CLI](../common/authorize-data-operations-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json).
 
 Only Blob storage data operations support the `--auth-mode` parameter. Management operations, such as creating a resource group or storage account, automatically use Azure AD credentials for authorization.
 
diff --git a/articles/storage/common/authorize-active-directory-cli.md b/articles/storage/common/authorize-active-directory-cli.md
diff --git a/articles/storage/common/authorize-data-operations-cli.md b/articles/storage/common/authorize-data-operations-cli.md
@@ -0,0 +1,107 @@
+---
+title: Authorize access to blob or queue data with Azure CLI
+titleSuffix: Azure Storage
+description: Specify how to authorize data operations against blob or queue data with the Azure CLI. You can authorize data operations using Azure AD credentials, with the account access key, or with a shared access signature (SAS) token. 
+services: storage
+author: tamram
+
+ms.service: storage
+ms.topic: how-to
+ms.date: 02/26/2020
+ms.author: tamram
+ms.reviewer: cbrooks
+ms.subservice: common
+---
+
+# Authorize access to blob or queue data with Azure CLI
+
+Azure Storage provides extensions for Azure CLI that enable you to specify how you want to authorize operations on blob or queue data. You can authorize data operations in the following ways:
+
+- With an Azure Active Directory (Azure AD) security principal. Microsoft recommends using Azure AD credentials for superior security and ease of use.
+- With the account access key or a shared access signature (SAS) token.
+
+## Specify how data operations are authorized
+
+Azure CLI commands for reading and writing blob and queue data include the optional `--auth-mode` parameter. Specify this parameter to indicate how a data operation is to be authorized:
+
+- Set the `--auth-mode` parameter to `login` to sign in using an Azure AD security principal (recommended).
+- Set the `--auth-mode` parameter to the legacy `key` value to attempt to retrieve the account access key to use for authorization. If you omit the `--auth-mode` parameter, then the Azure CLI also attempts to retrieve the access key.
+
+To use the `--auth-mode` parameter, make sure that you have installed Azure CLI version 2.0.46 or later. Run `az --version` to check your installed version.
+
+> [!IMPORTANT]
+> If you omit the `--auth-mode` parameter or set it to `key`, then the Azure CLI attempts to use the account access key for authorization. In this case, Microsoft recommends that you provide the access key either on the command or in the **AZURE_STORAGE_KEY** environment variable. For more information about environment variables, see the section titled [Set environment variables for authorization parameters](#set-environment-variables-for-authorization-parameters).
+>
+> If you do not provide the access key, then the Azure CLI attempts to call the Azure Storage resource provider to retrieve it for each operation. Performing many data operations that require a call to the resource provider may result in throttling. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](scalability-targets-resource-provider.md).
+
+## Authorize with Azure AD credentials
+
+When you sign in to Azure CLI with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by Azure CLI to authorize subsequent data operations against Blob or Queue storage. For supported operations, you no longer need to pass an account key or SAS token with the command.
+
+You can assign permissions to blob and queue data to an Azure AD security principal via role-based access control (RBAC). For more information about RBAC roles in Azure Storage, see [Manage access rights to Azure Storage data with RBAC](storage-auth-aad-rbac.md).
+
+### Permissions for calling data operations
+
+The Azure Storage extensions are supported for operations on blob and queue data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to Azure CLI. Permissions to Azure Storage containers or queues are assigned via RBAC. For example, if you are assigned the **Blob Data Reader** role, then you can run scripting commands that read data from a container or queue. If you are assigned the **Blob Data Contributor** role, then you can run scripting commands that read, write, or delete a container or queue or the data they contain.
+
+For details about the permissions required for each Azure Storage operation on a container or queue, see [Call storage operations with OAuth tokens](/rest/api/storageservices/authorize-with-azure-active-directory#call-storage-operations-with-oauth-tokens).  
+
+### Example: Authorize an operation to create a container with Azure AD credentials
+
+The following example shows how to create a container from Azure CLI using your Azure AD credentials. To create the container, you'll need to log in to the Azure CLI, and you'll need a resource group and a storage account. To learn how to create these resources, see [Quickstart: Create, download, and list blobs with Azure CLI](../blobs/storage-quickstart-blobs-cli.md).
+
+1. Before you create the container, assign the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning RBAC roles, see [Grant access to Azure blob and queue data with RBAC in the Azure portal](storage-auth-aad-rbac.md).
+
+    > [!IMPORTANT]
+    > RBAC role assignments may take a few minutes to propagate.
+
+1. Call the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command with the `--auth-mode` parameter set to `login` to create the container using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values:
+
+    ```azurecli
+    az storage container create \
+        --account-name <storage-account> \
+        --name sample-container \
+        --auth-mode login
+    ```
+
+## Authorize with the account access key
+
+If you possess the account key, you can call any Azure Storage data operation. In general, using the account key is less secure. If the account key is compromised, all data in your account may be compromised.
+
+The following example shows how to create a container using the account access key. Specify the account key, and provide the `--auth-mode` parameter with the `key` value:
+
+```azurecli
+az storage container create \
+    --account-name <storage-account> \
+    --name sample-container \
+    --account-key <key>
+    --auth-mode key
+```
+
+## Authorize with a SAS token
+
+If you possess a SAS token, you can call data operations that are permitted by the SAS. The following example shows how to create a container using a SAS token:
+
+```azurecli
+az storage container create \
+    --account-name <storage-account> \
+    --name sample-container \
+    --sas-token <token>
+```
+
+## Set environment variables for authorization parameters
+
+You can specify authorization parameters in environment variables to avoid including them on every call to an Azure Storage data operation. The following table describes the available environment variables.
+
+| Environment variable                  | Description                                                                                                                                                                                                                                                                                                                                                                     |
+|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|    AZURE_STORAGE_ACCOUNT              |    The storage account name. This variable should be used in conjunction with either the storage account key or a SAS token. If neither are present, the Azure CLI attempts to retrieve the storage account access key by using the authenticated Azure AD account. If a large number of commands are executed at one time, the Azure Storage resource provider throttling limit may be reached. For more information about  resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](scalability-targets-resource-provider.md).             |
+|    AZURE_STORAGE_KEY                  |    The storage account key. This variable must be used in conjunction with the storage account name.                                                                                                                                                                                                                                                                          |
+|    AZURE_STORAGE_CONNECTION_STRING    |    A connection string that includes the storage account key or a SAS token. This variable must be used in conjunction with the storage account name.                                                                                                                                                                                                                       |
+|    AZURE_STORAGE_SAS_TOKEN            |    A shared access signature (SAS) token. This variable must be used in conjunction with the storage account name.                                                                                                                                                                                                                                                            |
+|    AZURE_STORAGE_AUTH_MODE            |    The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI uses your Azure AD credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI attempts to query for the account access key and to authorize the command with the key.    |
+
+## Next steps
+
+- [Use Azure CLI to assign an RBAC role for access to blob and queue data](storage-auth-aad-rbac-cli.md)
+- [Authorize access to blob and queue data with managed identities for Azure resources](storage-auth-aad-msi.md)
diff --git a/articles/storage/queues/TOC.yml b/articles/storage/queues/TOC.yml
@@ -116,7 +116,7 @@
         - name: PowerShell
           href: ../common/authorize-active-directory-powershell.md?toc=%2fazure%2fstorage%2fqueues%2ftoc.json
         - name: Azure CLI
-          href: ../common/authorize-active-directory-cli.md?toc=%2fazure%2fstorage%2fqueues%2ftoc.json
+          href: ../common/authorize-data-operations-cli.md?toc=%2fazure%2fstorage%2fqueues%2ftoc.json
       - name: Manage access rights with RBAC
         items:
         - name: Portal
diff --git a/includes/storage-quickstart-prereq-include.md b/includes/storage-quickstart-prereq-include.md
@@ -5,11 +5,11 @@ services: storage
 author: tamram
 ms.service: storage
 ms.topic: "include"
-ms.date: 02/04/2018
+ms.date: 02/27/2020
 ms.author: tamram
 ms.custom: "include file"
 ---
 
 To access Azure Storage, you'll need an Azure subscription. If you don't already have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
-All access to Azure Storage takes place through a storage account. For this quickstart, create a storage account using the [Azure portal](https://portal.azure.com/), Azure PowerShell, or Azure CLI. For help creating the account, see [Create a storage account](../articles/storage/common/storage-account-create.md).
+All access to Azure Storage takes place through a storage account. For this quickstart, create a storage account using the [Azure portal](https://portal.azure.com/), Azure PowerShell, or Azure CLI. For help creating a storage account, see [Create a storage account](../articles/storage/common/storage-account-create.md).
diff --git a/includes/storage-view-keys-include.md b/includes/storage-view-keys-include.md
