Run Azure CLI or PowerShell commands with Azure AD credentials to access blob or queue data

Azure Storage provides extensions for Azure CLI and PowerShell that enable you to sign in and run scripting commands with Azure Active Directory (Azure AD) credentials. When you sign in to Azure CLI or PowerShell with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by CLI or PowerShell to authorize subsequent data operations against Blob or Queue storage. For supported operations, you no longer need to pass an account key or SAS token with the command.

You can assign permissions to blob and queue data to an Azure AD security principal via role-based access control (RBAC). For more information about RBAC roles in Azure Storage, see Manage access rights to Azure Storage data with RBAC.

Supported operations

The extensions are supported for operations on containers and queues. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to Azure CLI or PowerShell. Permissions to Azure Storage containers or queues are assigned via role-based access control (RBAC). For example, if you are assigned the Blob Data Reader role, then you can run scripting commands that read data from a container or queue. If you are assigned the Blob Data Contributor role, then you can run scripting commands that read, write, or delete a container or queue or the data they contain.

For details about the permissions required for each Azure Storage operation on a container or queue, see Call storage operations with OAuth tokens.

Call CLI commands using Azure AD credentials

Azure CLI supports the --auth-mode parameter for blob and queue data operations:

  • Set the --auth-mode parameter to login to sign in using an Azure AD security principal.
  • Set the --auth-mode parameter to the legacy key value to attempt to query for an account key if no authentication parameters for the account are provided.

The following example shows how to create a container in a new storage account from Azure CLI using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values:

  1. Make sure that you have installed Azure CLI version 2.0.46 or later. Run az --version to check your installed version.

  2. Run az login and authenticate in the browser window:

    az login
    
  3. Specify your desired subscription. Create a resource group using az group create. Create a storage account within that resource group using az storage account create:

    az account set --subscription <subscription-id>
    
    az group create \
        --name sample-resource-group-cli \
        --location eastus
    
    az storage account create \
        --name <storage-account> \
        --resource-group sample-resource-group-cli \
        --location eastus \
        --sku Standard_LRS \
        --encryption-services blob
    
  4. Before you create the container, assign the Storage Blob Data Contributor role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning RBAC roles, see Grant access to Azure blob and queue data with RBAC in the Azure portal.

    Important

    RBAC role assignments may take a few minutes to propagate.

  5. Call the az storage container create command with the --auth-mode parameter set to login to create the container using your Azure AD credentials:

    az storage container create \ 
        --account-name <storage-account> \ 
        --name sample-container \
        --auth-mode login
    

The environment variable associated with the --auth-mode parameter is AZURE_STORAGE_AUTH_MODE. You can specify the appropriate value in the environment variable to avoid including it on every call to an Azure Storage data operation.

Call PowerShell commands using Azure AD credentials

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Azure AD credentials, create a storage context to reference the storage account, and include the -UseConnectedAccount parameter.

The following example shows how to create a container in a new storage account from Azure PowerShell using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values:

  1. Sign in to your Azure account with the Connect-AzAccount command:

    Connect-AzAccount
    

    For more information about signing into Azure with PowerShell, see Sign in with Azure PowerShell.

  2. Create an Azure resource group by calling New-AzResourceGroup.

    $resourceGroup = "sample-resource-group-ps"
    $location = "eastus"
    New-AzResourceGroup -Name $resourceGroup -Location $location
    
  3. Create a storage account by calling New-AzStorageAccount.

    $storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup `
      -Name "<storage-account>" `
      -SkuName Standard_LRS `
      -Location $location `
    
  4. Get the storage account context that specifies the new storage account by calling New-AzStorageContext. When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. Include the -UseConnectedAccount parameter to call any subsequent data operations using your Azure AD credentials:

    $ctx = New-AzStorageContext -StorageAccountName "<storage-account>" -UseConnectedAccount
    
  5. Before you create the container, assign the Storage Blob Data Contributor role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning RBAC roles, see Grant access to Azure blob and queue data with RBAC in the Azure portal.

    Important

    RBAC role assignments may take a few minutes to propagate.

  6. Create a container by calling New-AzStorageContainer. Because this call uses the context created in the previous steps, the container is created using your Azure AD credentials.

    $containerName = "sample-container"
    New-AzStorageContainer -Name $containerName -Context $ctx
    

Next steps