Share via


az storage fs access

Manage file system access and permissions for Azure Data Lake Storage Gen2 account.

Commands

Name Description Type Status
az storage fs access remove-recursive

Remove the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

Core GA
az storage fs access set

Set the access control properties of a path(directory or file) in Azure Data Lake Storage Gen2 account.

Core GA
az storage fs access set-recursive

Set the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

Core GA
az storage fs access show

Show the access control properties of a path (directory or file) in Azure Data Lake Storage Gen2 account.

Core GA
az storage fs access update-recursive

Modify the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

Core GA

az storage fs access remove-recursive

Remove the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

az storage fs access remove-recursive --acl
                                      --file-system
                                      --path
                                      [--account-key]
                                      [--account-name]
                                      [--auth-mode {key, login}]
                                      [--batch-size]
                                      [--blob-endpoint]
                                      [--connection-string]
                                      [--continuation]
                                      [--continue-on-failure {false, true}]
                                      [--max-batches]
                                      [--sas-token]
                                      [--timeout]

Examples

Remove the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

az storage fs access remove-recursive --acl "default:user:21cd756e-e290-4a26-9547-93e8cc1a8923" -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000

Required Parameters

--acl

Remove POSIX access control rights on files and directories. The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, and a user or group identifier in the format "[scope:][type]:[id]".

--file-system -f

File system name (i.e. container name).

--path -p

The path to a file or directory in the specified file system.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

Accepted values: key, login
--batch-size

Optional. If data set size exceeds batch size then operation will be split into multiple requests so that progress can be tracked. Batch size should be between 1 and 2000. The default when unspecified is 2000.

--blob-endpoint

Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--continuation

Optional continuation token that can be used to resume previously stopped operation.

--continue-on-failure

If set to False, the operation will terminate quickly on encountering user errors (4XX). If True, the operation will ignore user errors and proceed with the operation on other sub-entities of the directory. Continuation token will only be returned when --continue-on-failure is True in case of user errors. If not set the default value is False for this.

Accepted values: false, true
--max-batches

Optional. Define maximum number of batches that single change Access Control operation can execute. If maximum is reached before all sub-paths are processed, then continuation token can be used to resume operation. Empty value indicates that maximum number of batches in unbound and operation continues till end.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage fs access set

Set the access control properties of a path(directory or file) in Azure Data Lake Storage Gen2 account.

az storage fs access set --file-system
                         --path
                         [--account-key]
                         [--account-name]
                         [--acl]
                         [--auth-mode {key, login}]
                         [--blob-endpoint]
                         [--connection-string]
                         [--group]
                         [--owner]
                         [--permissions]
                         [--sas-token]

Examples

Set the access control list of a path.

az storage fs access set --acl "user::rwx,group::r--,other::---" -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000

Set permissions of a path.

az storage fs access set --permissions "rwxrwx---" -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000

Set owner of a path.

az storage fs access set --owner example@microsoft.com -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000

Set owning group of a path.

az storage fs access set --group 68390a19-a897-236b-b453-488abf67b4dc -p dir -f myfilesystem --account-name mystorageaccount --account-key 0000-0000

Required Parameters

--file-system -f

File system name (i.e. container name).

--path -p

The path to a file or directory in the specified file system.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--acl

Invalid in conjunction with acl. POSIX access control rights on files and directories in the format "[scope:][type]:[id]:[permissions]". e.g. "user::rwx,group::r--,other::---,mask::rwx".

The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, a user or group identifier, and permissions in the format "[scope:][type]:[id]:[permissions]". The scope must be "default" to indicate the ACE belongs to the default ACL for a directory; otherwise scope is implicit and the ACE belongs to the access ACL. There are four ACE types: "user" grants rights to the owner or a named user, "group" grants rights to the owning group or a named group, "mask" restricts rights granted to named users and the members of groups, and "other" grants rights to all users not found in any of the other entries. The user or group identifier is omitted for entries of type "mask" and "other". The user or group identifier is also omitted for the owner and owning group. For example, the following ACL grants read, write, and execute rights to the file owner an john.doe@contoso, the read right to the owning group, and nothing to everyone else: "user::rwx,user:john.doe@contoso:rwx,group::r--,other::---,mask::rwx". For more information, please refer to https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

Accepted values: key, login
--blob-endpoint

Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--group

The owning group of the file or directory. The group Azure Active Directory object ID or user principal name to set as the owning group. For more information, please refer to https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#changing-the-owning-group.

--owner

The owning user of the file or directory. The user Azure Active Directory object ID or user principal name to set as the owner. For more information, please refer to https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#the-owning-user.

--permissions

Invalid in conjunction with acl. POSIX access permissions for the file owner, the file owning group, and others. Each class may be granted read(r), write(w), or execute(x) permission. Both symbolic (rwxrw-rw-) and 4-digit octal notation (e.g. 0766) are supported.'.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage fs access set-recursive

Set the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

az storage fs access set-recursive --acl
                                   --file-system
                                   --path
                                   [--account-key]
                                   [--account-name]
                                   [--auth-mode {key, login}]
                                   [--batch-size]
                                   [--blob-endpoint]
                                   [--connection-string]
                                   [--continuation]
                                   [--continue-on-failure {false, true}]
                                   [--max-batches]
                                   [--sas-token]
                                   [--timeout]

Examples

Set the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

az storage fs access set-recursive --acl "default:user:21cd756e-e290-4a26-9547-93e8cc1a8923:rwx" -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000

Required Parameters

--acl

The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, a user or group identifier, and permissions in the format "[scope:][type]:[id]:[permissions]". For more information, please refer to https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control.

--file-system -f

File system name (i.e. container name).

--path -p

The path to a file or directory in the specified file system.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

Accepted values: key, login
--batch-size

Optional. If data set size exceeds batch size then operation will be split into multiple requests so that progress can be tracked. Batch size should be between 1 and 2000. The default when unspecified is 2000.

--blob-endpoint

Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--continuation

Optional continuation token that can be used to resume previously stopped operation.

--continue-on-failure

If set to False, the operation will terminate quickly on encountering user errors (4XX). If True, the operation will ignore user errors and proceed with the operation on other sub-entities of the directory. Continuation token will only be returned when --continue-on-failure is True in case of user errors. If not set the default value is False for this.

Accepted values: false, true
--max-batches

Optional. Define maximum number of batches that single change Access Control operation can execute. If maximum is reached before all sub-paths are processed, then continuation token can be used to resume operation. Empty value indicates that maximum number of batches in unbound and operation continues till end.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage fs access show

Show the access control properties of a path (directory or file) in Azure Data Lake Storage Gen2 account.

az storage fs access show --file-system
                          --path
                          [--account-key]
                          [--account-name]
                          [--auth-mode {key, login}]
                          [--blob-endpoint]
                          [--connection-string]
                          [--sas-token]

Examples

Show the access control properties of a path.

az storage fs access show -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000

Required Parameters

--file-system -f

File system name (i.e. container name).

--path -p

The path to a file or directory in the specified file system.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

Accepted values: key, login
--blob-endpoint

Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az storage fs access update-recursive

Modify the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

az storage fs access update-recursive --acl
                                      --file-system
                                      --path
                                      [--account-key]
                                      [--account-name]
                                      [--auth-mode {key, login}]
                                      [--batch-size]
                                      [--blob-endpoint]
                                      [--connection-string]
                                      [--continuation]
                                      [--continue-on-failure {false, true}]
                                      [--max-batches]
                                      [--sas-token]
                                      [--timeout]

Examples

Modify the Access Control on a path and sub-paths in Azure Data Lake Storage Gen2 account.

az storage fs access update-recursive --acl "user::r-x" -p dir -f myfilesystem --account-name myadlsaccount --account-key 0000-0000

Required Parameters

--acl

The value is a comma-separated list of access control entries. Each access control entry (ACE) consists of a scope, a type, a user or group identifier, and permissions in the format "[scope:][type]:[id]:[permissions]". For more information, please refer to https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control.

--file-system -f

File system name (i.e. container name).

--path -p

The path to a file or directory in the specified file system.

Optional Parameters

--account-key

Storage account key. Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_KEY.

--account-name

Storage account name. Related environment variable: AZURE_STORAGE_ACCOUNT. Must be used in conjunction with either storage account key or a SAS token. If neither are present, the command will try to query the storage account key using the authenticated Azure account. If a large number of storage commands are executed the API quota may be hit.

--auth-mode

The mode in which to run the command. "login" mode will directly use your login credentials for the authentication. The legacy "key" mode will attempt to query for an account key if no authentication parameters for the account are provided. Environment variable: AZURE_STORAGE_AUTH_MODE.

Accepted values: key, login
--batch-size

Optional. If data set size exceeds batch size then operation will be split into multiple requests so that progress can be tracked. Batch size should be between 1 and 2000. The default when unspecified is 2000.

--blob-endpoint

Storage data service endpoint. Must be used in conjunction with either storage account key or a SAS token. You can find each service primary endpoint with az storage account show. Environment variable: AZURE_STORAGE_SERVICE_ENDPOINT.

--connection-string

Storage account connection string. Environment variable: AZURE_STORAGE_CONNECTION_STRING.

--continuation

Optional continuation token that can be used to resume previously stopped operation.

--continue-on-failure

If set to False, the operation will terminate quickly on encountering user errors (4XX). If True, the operation will ignore user errors and proceed with the operation on other sub-entities of the directory. Continuation token will only be returned when --continue-on-failure is True in case of user errors. If not set the default value is False for this.

Accepted values: false, true
--max-batches

Optional. Define maximum number of batches that single change Access Control operation can execute. If maximum is reached before all sub-paths are processed, then continuation token can be used to resume operation. Empty value indicates that maximum number of batches in unbound and operation continues till end.

--sas-token

A Shared Access Signature (SAS). Must be used in conjunction with storage account name or service endpoint. Environment variable: AZURE_STORAGE_SAS_TOKEN.

--timeout

Request timeout in seconds. Applies to each call to the service.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.