Can't set Azure Storage Account container ACL

Gene Chu 1 Reputation point
2021-09-22T20:17:38.91+00:00

I am trying to configure the mange ACL for a container in the storage account. I have owner permission to the subscription as well as the SA. I tried executing the directory access set commands as shown below and are getting the same error:

az storage blob directory access set -a "group:$superuser:rw-" -c "$web" -d . --account-name mystorage --auth-mode key --account-key mykey
az storage blob directory access set -a "group:$superuser:rw-" -c "$web" -d . --connection-string myconnectionstring
az storage blob directory access set -a "group:$superuser:rw-" -c "$web" -d . --account-name mystorage --sas-token mysastoken

Below is the error from the above. I have explicitly added my account to the mentioned roles and still no luck.

This command is implicitly deprecated because command group 'storage blob directory' is deprecated and will be removed in a future release. Use 'az storage fs directory' instead.
Command group 'storage blob directory access' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Contributor (Preview)"
"Storage Blob Data Reader (Preview)"
"Storage Queue Data Contributor (Preview)"
"Storage Queue Data Reader (Preview)"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

Looking for some help.

Thanks

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,722 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,449 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 43,806 Reputation points Microsoft Employee
    2021-09-23T11:16:58.87+00:00

    @Gene Chu I assume you need to use --auth-mode login, am I correct, If not please correct me?

    For that you need to grant RBAC role according to https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal?toc=/azure/storage/blobs/toc.json#rbac-roles-for-blobs-and-queues.

    For more information about ACLs, you can refer to https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#role-based-access-control.

    You can also refer to this thread How RBAC works on Azure Storage

    Additional information: This command az storage blob list is not deprecated as mentioned on the command output. We identified that there’s an extension(storage-preview) which is in preview, installed on your machine and this seems to be altering the blob list command behavior with this warning.
    https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/storage/docs/ADLS%20Gen2.md

    Azure CLI commands for data operations against Blob storage support the --auth-mode parameter, which enables you to specify how to authorize a given operation. Set the --auth-mode parameter to login to authorize with Azure AD credentials. For more information, see Authorize access to blob or queue data with Azure CLI.

    Note: Also check you have latest CLI version or try the above mentioned commands in cloud shell( Azure Portal)

    Please let us know if you have any further queries. I’m happy to assist you further.

    Looking forward for your reply!

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to 134673-image.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments