az storage account
Manage storage accounts.
Commands
| az storage account blob-service-properties |
Manage the properties of a storage account's blob service. |
| az storage account blob-service-properties show |
Show the properties of a storage account's blob service. |
| az storage account blob-service-properties update |
Update the properties of a storage account's blob service. |
| az storage account check-name |
Checks that the storage account name is valid and is not already in use. |
| az storage account create |
Create a storage account. |
| az storage account delete |
Delete a storage account. |
| az storage account encryption-scope |
Manage encryption scope for a storage account. |
| az storage account encryption-scope create |
Create an encryption scope within storage account. |
| az storage account encryption-scope list |
List encryption scopes within storage account. |
| az storage account encryption-scope show |
Show properties for specified encryption scope within storage account. |
| az storage account encryption-scope update |
Update properties for specified encryption scope within storage account. |
| az storage account failover |
Failover request can be triggered for a storage account in case of availability issues. |
| az storage account file-service-properties |
Manage the properties of file service in storage account. |
| az storage account file-service-properties show |
Show the properties of file service in storage account. |
| az storage account file-service-properties update |
Update the properties of file service in storage account. |
| az storage account generate-sas |
Generates a shared access signature for the account. |
| az storage account keys |
Manage storage account keys. |
| az storage account keys list |
List the access keys or Kerberos keys (if active directory enabled) for a storage account. |
| az storage account keys renew |
Regenerate one of the access keys or Kerberos keys (if active directory enabled) for a storage account. |
| az storage account list |
List storage accounts. |
| az storage account management-policy |
Manage storage account management policies. |
| az storage account management-policy create |
Creates the data policy rules associated with the specified storage account. |
| az storage account management-policy delete |
Deletes the managementpolicy associated with the specified storage account. |
| az storage account management-policy show |
Gets the managementpolicy associated with the specified storage account. |
| az storage account management-policy update |
Updates the data policy rules associated with the specified storage account. |
| az storage account network-rule |
Manage network rules. |
| az storage account network-rule add |
Add a network rule. |
| az storage account network-rule list |
List network rules. |
| az storage account network-rule remove |
Remove a network rule. |
| az storage account private-endpoint-connection |
Manage storage account private endpoint connection. |
| az storage account private-endpoint-connection approve |
Approve a private endpoint connection request for storage account. |
| az storage account private-endpoint-connection delete |
Delete a private endpoint connection request for storage account. |
| az storage account private-endpoint-connection reject |
Reject a private endpoint connection request for storage account. |
| az storage account private-endpoint-connection show |
Show details of a private endpoint connection request for storage account. |
| az storage account private-link-resource |
Manage storage account private link resources. |
| az storage account private-link-resource list |
Get the private link resources that need to be created for a storage account. |
| az storage account revoke-delegation-keys |
Revoke all user delegation keys for a storage account. |
| az storage account show |
Show storage account properties. |
| az storage account show-connection-string |
Get the connection string for a storage account. |
| az storage account show-usage |
Show the current count and limit of the storage accounts under the subscription. |
| az storage account update |
Update the properties of a storage account. |
az storage account check-name
Checks that the storage account name is valid and is not already in use.
az storage account check-name --name
[--subscription]Required Parameters
The storage account name.
Optional Parameters
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account create
Create a storage account.
The SKU of the storage account defaults to 'Standard_RAGRS'.
az storage account create --name
--resource-group
[--access-tier {Cool, Hot}]
[--allow-blob-public-access {false, true}]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--enable-files-aadds {false, true}]
[--enable-files-adds {false, true}]
[--enable-hierarchical-namespace {false, true}]
[--enable-large-file-share]
[--encryption-key-type-for-queue {Account, Service}]
[--encryption-key-type-for-table {Account, Service}]
[--encryption-services {blob, file, queue, table}]
[--forest-name]
[--https-only {false, true}]
[--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
[--location]
[--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
[--net-bios-domain-name]
[--publish-internet-endpoints {false, true}]
[--publish-microsoft-endpoints {false, true}]
[--require-infrastructure-encryption {false, true}]
[--routing-choice {InternetRouting, MicrosoftRouting}]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subscription]
[--tags]Examples
Create a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.
az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRSCreate a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the eastus2euap region with account-scoped encryption key enabled for Table Service.
az storage account create -n mystorageaccount -g MyResourceGroup --kind StorageV2 -l eastus2euap -t AccountRequired Parameters
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The access tier used for billing StandardBlob accounts. Cannot be set for StandardLRS, StandardGRS, StandardRAGRS, or PremiumLRS account types. It is required for StandardBlob accounts during creation.
Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.
Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.
Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.
Bypass traffic for space-separated uses.
User domain assigned to the storage account. Name is the CNAME source.
Default action to apply when no rule matches.
Specify the domain GUID. Required when --enable-files-adds is set to True.
Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.
Specify the security identifier (SID). Required when --enable-files-adds is set to True.
Enable Azure Active Directory Domain Services authentication for Azure Files.
Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.
Allow the blob service to exhibit filesystem semantics. This property can be enabled only when storage account kind is StorageV2.
Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.
Set the encryption key type for Queue service. "Account": Queue will be encrypted with account-scoped encryption key. "Service": Queue will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".
Set the encryption key type for Table service. "Account": Table will be encrypted with account-scoped encryption key. "Service": Table will always be encrypted with service-scoped keys. Currently the default encryption key type is "Service".
Specifies which service(s) to encrypt.
Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.
Allow https traffic only to storage service if set to true. The default value is true.
Indicates the type of storage account.
Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.
The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.
Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.
A boolean flag which indicates whether internet routing storage endpoints are to be published.
A boolean flag which indicates whether microsoft routing storage endpoints are to be published.
A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
Routing Choice defines the kind of network routing opted by the user.
The storage account SKU.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account delete
Delete a storage account.
az storage account delete [--ids]
[--name]
[--resource-group]
[--subscription]
[--yes]Examples
Delete a storage account using a resource ID.
az storage account delete --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}Delete a storage account using an account name and resource group.
az storage account delete -n MyStorageAccount -g MyResourceGroupOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Do not prompt for confirmation.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account failover
Failover request can be triggered for a storage account in case of availability issues.
The failover occurs from the storage account's primary cluster to secondary cluster for (RA-)GRS/GZRS accounts. The secondary cluster will become primary after failover. For more information, please refer to https://docs.microsoft.com/en-us/azure/storage/common/storage-disaster-recovery-guidance.
az storage account failover [--ids]
[--name]
[--no-wait]
[--resource-group]
[--subscription]
[--yes]Examples
Failover a storage account.
az storage account failover -n mystorageaccount -g MyResourceGroupFailover a storage account without waiting for complete.
az storage account failover -n mystorageaccount -g MyResourceGroup --no-wait
az storage account show -n mystorageaccount --expand geoReplicationStatsOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Do not prompt for confirmation.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account generate-sas
Generates a shared access signature for the account.
az storage account generate-sas --expiry
--permissions
--resource-types
--services
[--account-key]
[--account-name]
[--connection-string]
[--https-only]
[--ids]
[--ip]
[--start]
[--subscription]Examples
Generate a sas token for the account that is valid for queue and table services on Linux.
end=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsvGenerate a sas token for the account that is valid for queue and table services on MacOS.
end=`date -v+30M '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsvGenerate a shared access signature for the account (autogenerated)
az storage account generate-sas --account-key 00000000 --account-name MyStorageAccount --expiry 2020-01-01 --https-only --permissions acuw --resource-types co --services bfqtRequired Parameters
Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes invalid.
The permissions the SAS grants. Allowed values: (a)dd (c)reate (d)elete (l)ist (p)rocess (r)ead (u)pdate (w)rite. Can be combined.
The resource types the SAS is applicable for. Allowed values: (s)ervice (c)ontainer (o)bject. Can be combined.
The storage services the SAS is applicable for. Allowed values: (b)lob (f)ile (q)ueue (t)able. Can be combined.
Optional Parameters
Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.
Storage account name. Must be used in conjunction with either storage account key or a SAS token. Environment Variable: AZURE_STORAGE_ACCOUNT.
Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.
Only permit requests made with the HTTPS protocol. If omitted, requests from both the HTTP and HTTPS protocol are permitted.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Specifies the IP address or range of IP addresses from which to accept requests. Supports only IPv4 style addresses.
Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes valid. Defaults to the time of the request.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account list
List storage accounts.
az storage account list [--resource-group]
[--subscription]Examples
List all storage accounts in a subscription.
az storage account listList all storage accounts in a resource group.
az storage account list -g MyResourceGroupOptional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account revoke-delegation-keys
Revoke all user delegation keys for a storage account.
az storage account revoke-delegation-keys [--ids]
[--name]
[--resource-group]
[--subscription]Examples
Revoke all user delegation keys for a storage account by resource ID.
az storage account revoke-delegation-keys --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}Revoke all user delegation keys for a storage account 'mystorageaccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.
az storage account revoke-delegation-keys -n mystorageaccount -g MyResourceGroupOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account show
Show storage account properties.
az storage account show [--expand]
[--ids]
[--name]
[--resource-group]
[--subscription]Examples
Show properties for a storage account by resource ID.
az storage account show --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}Show properties for a storage account using an account name and resource group.
az storage account show -g MyResourceGroup -n MyStorageAccountOptional Parameters
May be used to expand the properties within account's properties. By default, data is not included when fetching properties. Currently we only support geoReplicationStats and blobRestoreStatus.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The storage account name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account show-connection-string
Get the connection string for a storage account.
az storage account show-connection-string [--blob-endpoint]
[--file-endpoint]
[--ids]
[--key {primary, secondary}]
[--name]
[--protocol {http, https}]
[--queue-endpoint]
[--resource-group]
[--sas-token]
[--subscription]
[--table-endpoint]Examples
Get a connection string for a storage account.
az storage account show-connection-string -g MyResourceGroup -n MyStorageAccountGet the connection string for a storage account. (autogenerated)
az storage account show-connection-string --name MyStorageAccount --resource-group MyResourceGroup --subscription MySubscriptionOptional Parameters
Custom endpoint for blobs.
Custom endpoint for files.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The key to use.
The storage account name.
The default endpoint protocol.
Custom endpoint for queues.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The SAS token to be used in the connection-string.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Custom endpoint for tables.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account show-usage
Show the current count and limit of the storage accounts under the subscription.
az storage account show-usage --location
[--subscription]Examples
Show the current count and limit of the storage accounts under the subscription. (autogenerated)
az storage account show-usage --location westus2Required Parameters
Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.
Optional Parameters
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az storage account update
Update the properties of a storage account.
az storage account update [--access-tier {Cool, Hot}]
[--add]
[--allow-blob-public-access {false, true}]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--enable-files-aadds {false, true}]
[--enable-files-adds {false, true}]
[--enable-large-file-share]
[--encryption-key-name]
[--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
[--encryption-key-vault]
[--encryption-key-version]
[--encryption-services {blob, file, queue, table}]
[--force-string]
[--forest-name]
[--https-only {false, true}]
[--ids]
[--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
[--name]
[--net-bios-domain-name]
[--publish-internet-endpoints {false, true}]
[--publish-microsoft-endpoints {false, true}]
[--remove]
[--resource-group]
[--routing-choice {InternetRouting, MicrosoftRouting}]
[--set]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subscription]
[--tags]
[--use-subdomain {false, true}]Examples
Update the properties of a storage account. (autogenerated)
az storage account update --default-action Allow --name MyStorageAccount --resource-group MyResourceGroupOptional Parameters
The access tier used for billing StandardBlob accounts. Cannot be set for StandardLRS, StandardGRS, StandardRAGRS, or PremiumLRS account types. It is required for StandardBlob accounts during creation.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
Allow or disallow public access to all blobs or containers in the storage account. The default value for this property is null, which is equivalent to true. When true, containers in the account may be configured for public access. Note that setting this property to true does not enable anonymous access to any data in the account. The additional step of configuring the public access setting for a container is required to enable anonymous access.
Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.
Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.
Bypass traffic for space-separated uses.
User domain assigned to the storage account. Name is the CNAME source. Use "" to clear existing value.
Default action to apply when no rule matches.
Specify the domain GUID. Required when --enable-files-adds is set to True.
Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.
Specify the security identifier (SID). Required when --enable-files-adds is set to True.
Enable Azure Active Directory Domain Services authentication for Azure Files.
Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.
Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.
The name of the KeyVault key.
The default encryption key source.
The Uri of the KeyVault.
The version of the KeyVault key to use, which will opt out of implicit key rotation. Please use "" to opt in key auto-rotation again.
Specifies which service(s) to encrypt.
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.
Allows https traffic only to storage service.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.
The storage account name.
Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.
A boolean flag which indicates whether internet routing storage endpoints are to be published.
A boolean flag which indicates whether microsoft routing storage endpoints are to be published.
Remove a property or an element from a list. Example: --remove property.list
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Routing Choice defines the kind of network routing opted by the user.
Update an object by specifying a property path and value to set. Example: --set property1.property2=
The storage account SKU.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Specify whether to use indirect CNAME validation.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.