az storage account

Manage storage accounts.

Commands

az storage account check-name Checks that the storage account name is valid and is not already in use.
az storage account create Create a storage account.
az storage account delete Delete a storage account.
az storage account generate-sas Generates a shared access signature for the account.
az storage account keys Manage storage account keys.
az storage account keys list List the access keys or Kerberos keys (if active directory enabled) for a storage account.
az storage account keys renew Regenerate one of the access keys or Kerberos keys (if active directory enabled) for a storage account.
az storage account list List storage accounts.
az storage account management-policy Manage storage account management policies.
az storage account management-policy create Creates the data policy rules associated with the specified storage account.
az storage account management-policy delete Deletes the managementpolicy associated with the specified storage account.
az storage account management-policy show Gets the managementpolicy associated with the specified storage account.
az storage account management-policy update Updates the data policy rules associated with the specified storage account.
az storage account network-rule Manage network rules.
az storage account network-rule add Add a network rule.
az storage account network-rule list List network rules.
az storage account network-rule remove Remove a network rule.
az storage account revoke-delegation-keys Revoke all user delegation keys for a storage account.
az storage account show Show storage account properties.
az storage account show-connection-string Get the connection string for a storage account.
az storage account show-usage Show the current count and limit of the storage accounts under the subscription.
az storage account update Update the properties of a storage account.

az storage account check-name

Checks that the storage account name is valid and is not already in use.

az storage account check-name --name
[--subscription]

Required Parameters

--name -n

The storage account name.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az storage account create

Create a storage account.

az storage account create --name
--resource-group
[--access-tier {Cool, Hot}]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--enable-files-aadds {false, true}]
[--enable-files-adds {false, true}]
[--enable-hierarchical-namespace {false, true}]
[--enable-large-file-share]
[--encryption-services {blob, file, queue, table}]
[--forest-name]
[--https-only {false, true}]
[--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
[--location]
[--net-bios-domain-name]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subscription]
[--tags]

Examples

Create a storage account 'MyStorageAccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.

az storage account create -n MyStorageAccount -g MyResourceGroup -l westus --sku Standard_LRS

Required Parameters

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access-tier

The access tier used for billing StandardBlob accounts. Cannot be set for StandardLRS, StandardGRS, StandardRAGRS, or PremiumLRS account types. It is required for StandardBlob accounts during creation.

accepted values: Cool, Hot
--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-hierarchical-namespace --hns

Allow the blob service to exhibit filesystem semantics. This property can be enabled only when storage account kind is StorageV2.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allow https traffic only to storage service if set to true. The default value is true.

accepted values: false, true
--kind

Indicates the type of storage account.

accepted values: BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2
default value: Storage
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--sku

The storage account SKU.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
default value: Standard_RAGRS
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

az storage account delete

Delete a storage account.

az storage account delete [--ids]
[--name]
[--resource-group]
[--subscription]
[--yes]

Examples

Delete a storage account using a resource ID.

az storage account delete --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Delete a storage account using an account name and resource group.

az storage account delete -n MyStorageAccount -g MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--yes -y

Do not prompt for confirmation.

az storage account generate-sas

Generates a shared access signature for the account.

az storage account generate-sas --expiry
--permissions
--resource-types
--services
[--account-key]
[--account-name]
[--connection-string]
[--https-only]
[--ids]
[--ip]
[--start]
[--subscription]

Examples

Generate a sas token for the account that is valid for queue and table services on Linux.

end=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv

Generate a sas token for the account that is valid for queue and table services on MacOS.

end=`date -v+30M '+%Y-%m-%dT%H:%MZ'`
az storage account generate-sas --permissions cdlruwap --account-name MyStorageAccount --services qt --resource-types sco --expiry $end -o tsv

Generates a shared access signature for the account (autogenerated)

az storage account generate-sas --account-key 00000000 --account-name MyStorageAccount --expiry 2020-01-01 --https-only --permissions acuw --resource-types co --services bfqt

Required Parameters

--expiry

Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes invalid.

--permissions

The permissions the SAS grants. Allowed values: (a)dd (c)reate (d)elete (l)ist (p)rocess (r)ead (u)pdate (w)rite. Can be combined.

--resource-types

The resource types the SAS is applicable for. Allowed values: (s)ervice (c)ontainer (o)bject. Can be combined.

--services

The storage services the SAS is applicable for. Allowed values: (b)lob (f)ile (q)ueue (t)able. Can be combined.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Must be used in conjunction with either storage account key or a SAS token. Environment Variable: AZURE_STORAGE_ACCOUNT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--https-only

Only permit requests made with the HTTPS protocol. If omitted, requests from both the HTTP and HTTPS protocol are permitted.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified.

--ip

Specifies the IP address or range of IP addresses from which to accept requests. Supports only IPv4 style addresses.

--start

Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes valid. Defaults to the time of the request.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az storage account list

List storage accounts.

az storage account list [--resource-group]
[--subscription]

Examples

List all storage accounts in a subscription.

az storage account list

List all storage accounts in a resource group.

az storage account list -g MyResourceGroup

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az storage account revoke-delegation-keys

Revoke all user delegation keys for a storage account.

az storage account revoke-delegation-keys [--ids]
[--name]
[--resource-group]
[--subscription]

Examples

Revoke all user delegation keys for a storage account by resource ID.

az storage account revoke-delegation-keys --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Revoke all user delegation keys for a storage account 'MyStorageAccount' in resource group 'MyResourceGroup' in the West US region with locally redundant storage.

az storage account revoke-delegation-keys -n MyStorageAccount -g MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az storage account show

Show storage account properties.

az storage account show [--expand]
[--ids]
[--name]
[--resource-group]
[--subscription]

Examples

Show properties for a storage account by resource ID.

az storage account show --ids /subscriptions/{SubID}/resourceGroups/{ResourceGroup}/providers/Microsoft.Storage/storageAccounts/{StorageAccount}

Show properties for a storage account using an account name and resource group.

az storage account show -g MyResourceGroup -n MyStorageAccount

Optional Parameters

--expand

May be used to expand the properties within account's properties. By default, data is not included when fetching properties. Currently we only support geoReplicationStats.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified.

--name -n

The storage account name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az storage account show-connection-string

Get the connection string for a storage account.

az storage account show-connection-string [--blob-endpoint]
[--file-endpoint]
[--ids]
[--key {primary, secondary}]
[--name]
[--protocol {http, https}]
[--queue-endpoint]
[--resource-group]
[--sas-token]
[--subscription]
[--table-endpoint]

Examples

Get a connection string for a storage account.

az storage account show-connection-string -g MyResourceGroup -n MyStorageAccount

Get the connection string for a storage account. (autogenerated)

az storage account show-connection-string --name MyStorageAccount --resource-group MyResourceGroup --subscription MySubscription

Optional Parameters

--blob-endpoint

Custom endpoint for blobs.

--file-endpoint

Custom endpoint for files.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified.

--key

The key to use.

accepted values: primary, secondary
default value: primary
--name -n

The storage account name.

--protocol

The default endpoint protocol.

accepted values: http, https
default value: https
--queue-endpoint

Custom endpoint for queues.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--sas-token

The SAS token to be used in the connection-string.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--table-endpoint

Custom endpoint for tables.

az storage account show-usage

Show the current count and limit of the storage accounts under the subscription.

az storage account show-usage --location
[--subscription]

Examples

Show the current count and limit of the storage accounts under the subscription. (autogenerated)

az storage account show-usage --location westus2

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az storage account update

Update the properties of a storage account.

az storage account update [--access-tier {Cool, Hot}]
[--add]
[--assign-identity]
[--azure-storage-sid]
[--bypass {AzureServices, Logging, Metrics, None}]
[--custom-domain]
[--default-action {Allow, Deny}]
[--domain-guid]
[--domain-name]
[--domain-sid]
[--enable-files-aadds {false, true}]
[--enable-files-adds {false, true}]
[--enable-large-file-share]
[--encryption-key-name]
[--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
[--encryption-key-vault]
[--encryption-key-version]
[--encryption-services {blob, file, queue, table}]
[--force-string]
[--forest-name]
[--https-only {false, true}]
[--ids]
[--name]
[--net-bios-domain-name]
[--remove]
[--resource-group]
[--set]
[--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
[--subscription]
[--tags]
[--use-subdomain {false, true}]

Examples

Update the properties of a storage account. (autogenerated)

az storage account update --default-action Allow --name MyStorageAccount --resource-group MyResourceGroup

Optional Parameters

--access-tier

The access tier used for billing StandardBlob accounts. Cannot be set for StandardLRS, StandardGRS, StandardRAGRS, or PremiumLRS account types. It is required for StandardBlob accounts during creation.

accepted values: Cool, Hot
--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--assign-identity

Generate and assign a new Storage Account Identity for this storage account for use with key management services like Azure KeyVault.

--azure-storage-sid

Specify the security identifier (SID) for Azure Storage. Required when --enable-files-adds is set to True.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, Logging, Metrics, None
--custom-domain

User domain assigned to the storage account. Name is the CNAME source. Use "" to clear existing value.

--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--domain-guid

Specify the domain GUID. Required when --enable-files-adds is set to True.

--domain-name

Specify the primary domain that the AD DNS server is authoritative for. Required when --enable-files-adds is set to True.

--domain-sid

Specify the security identifier (SID). Required when --enable-files-adds is set to True.

--enable-files-aadds

Enable Azure Active Directory Domain Services authentication for Azure Files.

accepted values: false, true
--enable-files-adds

Enable Azure Files Active Directory Domain Service Authentication for storage account. When --enable-files-adds is set to true, Azure Active Directory Properties arguments must be provided.

accepted values: false, true
--enable-large-file-share

Enable the capability to support large file shares with more than 5 TiB capacity for storage account.Once the property is enabled, the feature cannot be disabled. Currently only supported for LRS and ZRS replication types, hence account conversions to geo-redundant accounts would not be possible. For more information, please refer to https://go.microsoft.com/fwlink/?linkid=2086047.

--encryption-key-name

The name of the KeyVault key.

--encryption-key-source

The default encryption service.

accepted values: Microsoft.Keyvault, Microsoft.Storage
--encryption-key-vault

The Uri of the KeyVault.

--encryption-key-version

The version of the KeyVault key.

--encryption-services

Specifies which service(s) to encrypt.

accepted values: blob, file, queue, table
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--forest-name

Specify the Active Directory forest to get. Required when --enable-files-adds is set to True.

--https-only

Allows https traffic only to storage service.

accepted values: false, true
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified.

--name -n

The storage account name.

--net-bios-domain-name

Specify the NetBIOS domain name. Required when --enable-files-adds is set to True.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--sku

The storage account SKU.

accepted values: Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

--use-subdomain

Specify whether to use indirect CNAME validation.

accepted values: false, true