question

GeneChu-1199 avatar image
0 Votes"
GeneChu-1199 asked Sumarigo-MSFT edited

Can't set Azure Storage Account container ACL

I am trying to configure the mange ACL for a container in the storage account. I have owner permission to the subscription as well as the SA. I tried executing the directory access set commands as shown below and are getting the same error:

az storage blob directory access set -a "group:$superuser:rw-" -c "$web" -d . --account-name mystorage --auth-mode key --account-key mykey
az storage blob directory access set -a "group:$superuser:rw-" -c "$web" -d . --connection-string myconnectionstring
az storage blob directory access set -a "group:$superuser:rw-" -c "$web" -d . --account-name mystorage --sas-token mysastoken


Below is the error from the above. I have explicitly added my account to the mentioned roles and still no luck.


This command is implicitly deprecated because command group 'storage blob directory' is deprecated and will be removed in a future release. Use 'az storage fs directory' instead.
Command group 'storage blob directory access' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Contributor (Preview)"
"Storage Blob Data Reader (Preview)"
"Storage Queue Data Contributor (Preview)"
"Storage Queue Data Reader (Preview)"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.




Looking for some help.

Thanks



azure-storage-accountsazure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered Sumarigo-MSFT edited

@GeneChu-1199 I assume you need to use --auth-mode login, am I correct, If not please correct me?

For that you need to grant RBAC role according to https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal?toc=/azure/storage/blobs/toc.json#rbac-roles-for-blobs-and-queues.

For more information about ACLs, you can refer to https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#role-based-access-control.

You can also refer to this thread How RBAC works on Azure Storage

Additional information: This command az storage blob list is not deprecated as mentioned on the command output. We identified that there’s an extension(storage-preview) which is in preview, installed on your machine and this seems to be altering the blob list command behavior with this warning.
https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/storage/docs/ADLS%20Gen2.md

Azure CLI commands for data operations against Blob storage support the --auth-mode parameter, which enables you to specify how to authorize a given operation. Set the --auth-mode parameter to login to authorize with Azure AD credentials. For more information, see Authorize access to blob or queue data with Azure CLI.

Note: Also check you have latest CLI version or try the above mentioned commands in cloud shell( Azure Portal)

Please let us know if you have any further queries. I’m happy to assist you further.

Looking forward for your reply!


Please do not forget to 134673-image.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.



image.png (3.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.