-
Notifications
You must be signed in to change notification settings - Fork 235
azcopy_login
GitHub Action edited this page Mar 10, 2025
·
45 revisions
Log in to Microsoft Entra ID to access Azure Storage resources.
To be authorized to your Azure Storage account, you must assign the Storage Blob Data Contributor role to your user account in the context of either the Storage account, parent resource group or parent subscription. This command will cache encrypted login information for current user using the OS built-in mechanisms. Please refer to the examples for more information.
If you set an environment variable by using the command line, that variable will be readable in your command line history. Consider clearing variables that contain credentials from your command line history. To keep variables from appearing in your history, you can use a script to prompt the user for their credentials, and to set the environment variable.
azcopy login [flags]
Log in interactively with default Microsoft Entra tenant ID set to common:
- azcopy login
Log in interactively with a specified tenant ID:
- azcopy login --tenant-id "[TenantID]"
Log in by using the system-assigned identity of a Virtual Machine (VM):
- azcopy login --identity
Log in by using the user-assigned identity of a VM and a Client ID of the service identity:
- azcopy login --identity --identity-client-id "[ServiceIdentityClientID]"
Log in by using the user-assigned identity of a VM and an Object ID of the service identity:
- azcopy login --identity --identity-object-id "[ServiceIdentityObjectID]"
Log in by using the user-assigned identity of a VM and a Resource ID of the service identity:
- azcopy login --identity --identity-resource-id "/subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID"
Log in as a service principal by using a client secret:
Set the environment variable AZCOPY_SPA_CLIENT_SECRET to the client secret for secret based service principal auth.
- azcopy login --service-principal --application-id <your service principal's application ID>
Log in as a service principal by using a certificate and it's password:
Set the environment variable AZCOPY_SPA_CERT_PASSWORD to the certificate's password for cert based service principal auth
- azcopy login --service-principal --certificate-path /path/to/my/cert --application-id <your service principal's application ID>
Please treat /path/to/my/cert as a path to a PEM or PKCS12 file-- AzCopy does not reach into the system cert store to obtain your certificate.
--certificate-path is mandatory when doing cert-based service principal auth.
Log in using a Device:
Set the environment variable AZCOPY_AUTO_LOGIN_TYPE=DEVICE to initiate Device login.
- azcopy login
Please note that you will be provided with a code to authenticate via a web browser. For example, you may see a message like this:
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCD12345.
Log in using Managed Identity
Set the environment variable AZCOPY_AUTO_LOGIN_TYPE to MSI.
Set additional parameters based on your identity type:
To use Client ID, set AZCOPY_MSI_CLIENT_ID.
To use Resource string, set AZCOPY_MSI_RESOURCE_STRING.
- azcopy login
Upon successful authentication, you will see messages indicating login with identity succeeded and authenticating to the destination using Microsoft Entra ID.
Subcommand for login to check the login status of your current session.
- azcopy login status
--aad-endpoint string The Azure Active Directory endpoint to use. The default (https://login.microsoftonline.com) is correct for the public Azure cloud. Set this parameter when authenticating in a national cloud. Not needed for Managed Service Identity
--application-id string Application ID of user-assigned identity. Required for service principal auth.
--certificate-path string Path to certificate for SPN authentication. Required for certificate-based service principal auth.
-h, --help help for login
--identity-client-id string Client ID of user-assigned identity.
--identity-object-id string Object ID of user-assigned identity. This parameter is deprecated. Please use client id or resource id
--identity-resource-id string Resource ID of user-assigned identity.
--login-type string Default value is device. Specify the credential type to access Azure Resource, available values are device (Device code workflow), spn (Service Principal), msi (Managed Service Identity), azcli (Azure CLI), pscred (Azure PowerShell), workload (Workload Identity). (default "device")
--tenant-id string The Azure Active Directory tenant ID to use for OAuth device interactive login.
--cap-mbps float Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.
--log-level string Define the log verbosity for the log file, available levels: DEBUG(detailed trace), INFO(all requests/responses), WARNING(slow responses), ERROR(only failed requests), and NONE(no output logs). (default 'INFO'). (default "INFO")
--output-level string Define the output verbosity. Available levels: essential, quiet. (default "default")
--output-type string Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")
--skip-version-check Do not perform the version check at startup. Intended for automation scenarios & airgapped use.
--trusted-microsoft-suffixes string Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.
- azcopy - AzCopy is a command line tool that moves data into and out of Azure Storage.
- azcopy login status - Prints if you are currently logged in to your Azure Storage account.