In this blog post, we’ll explore how to use Azure CLI with a Service Principal to list files and folders in an Azure Storage Account Container. This approach is particularly useful for automated scripts and applications that need to interact with Azure Storage without using interactive login.
Prerequisites
Before we begin, make sure you have the following:
- An Azure account with an active subscription
- Azure CLI installed on your local machine
- A Storage Account in Azure
- A container within the Storage Account
Step 1: Create a Service Principal
First, we need to create a Service Principal that our script will use to authenticate with Azure. Run the following Azure CLI command:
az ad sp create-for-rbac --name "MyStorageServicePrincipal" --role "Storage Blob Data Reader" --scopes /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>
Replace <subscription-id>, <resource-group-name>, and <storage-account-name> with your actual values.
This command will output JSON similar to this:
{
"appId": "<app-id>",
"displayName": "MyStorageServicePrincipal",
"password": "<password>",
"tenant": "<tenant-id>"
}
Make note of the appId, password, and tenant values. You’ll need these to authenticate your script.
Step 2: Set Environment Variables
For security reasons, it’s best to use environment variables to store your credentials. Set the following environment variables:
export AZURE_CLIENT_ID="<app-id>"
export AZURE_CLIENT_SECRET="<password>"
export AZURE_TENANT_ID="<tenant-id>"
Step 3: Authenticate Using the Service Principal
Now, let’s authenticate using the Service Principal:
az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID
Step 4: List Files and Folders in the Container
To list files and folders in your container, use the following command:
az storage blob list --account-name <storage-account-name> --container-name <container-name> --output table
Replace <storage-account-name> and <container-name> with your actual values.
This will output a table of all blobs in the container, including their names, creation times, and other properties.
Example Script
Here’s a complete bash script that puts all these steps together:
#!/bin/bash
# Set your Azure details
STORAGE_ACCOUNT_NAME="mystorageaccount"
CONTAINER_NAME="mycontainer"
# Authenticate using the Service Principal
az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID
# List blobs in the container
echo "Listing blobs in container '$CONTAINER_NAME':"
az storage blob list --account-name $STORAGE_ACCOUNT_NAME --container-name $CONTAINER_NAME --output table
# Log out
az logout
Conclusion
Using a Service Principal with Azure CLI provides a secure and efficient way to interact with Azure Storage programmatically. This method is particularly useful for automated scripts and applications that need to list or manage files in Azure Blob Storage without user intervention.
Remember to always follow security best practices:
- Keep your Service Principal credentials secure and never commit them to version control.
- Use environment variables or Azure Key Vault to store sensitive information.
- Regularly rotate your Service Principal secrets.
- Apply the principle of least privilege when assigning roles to your Service Principal.
Happy coding, and may your Azure storage operations be smooth and secure!