We would like to set specific rights to an enterprise application in DataLake Gen2 using Azure CLI in our deployment Pipeline. We use powersehell 7.0 and the az storage extension.
I can set rights for users, groups and other via cli, but not for a specific user. This user must must have a contributor role (rw-)
I have tried to set the rights:
az extension add --name storage-preview
az storage blob directory access set -a "default:$user::rw-" -d $dirname -c $filesystemName --account-name $storageaccountname
But it trows the error:'error":{"code":"InvaldAccessControlList","message":"The access control list value is invalid'
When run
az storage blob directory access show -d $dirname -c $filesystemName --account-name $storageaccountname
{
"acl": "user::rwx,group::r-x,other::---,default:user::rw-,default:group::r-x,default:other::---",
"group": "dummy000-0000-0000-00000000000",
"owner": "$superuser",
"permissions": "rwxr-x---+"
}
It looks like i can't set specific rights this way. I can't use the portal. Is there a CLI command which i can use. The documentation is not very clear about this.
I read the linux documentation about ACL's and changed the command as follows:
#Get Object ID from the aplicationID:
$user = az ad sp show --id dummy000-0000-0000-00000000000 --query objectId
# set default rights to the application and strip the quotes from the objectid
$set = "default:user:"+$user.Replace("`"","")+":rw-"
#set the default rights (child items and new as well):
az storage blob directory access set -a $set -d $dirname -c $filesystemName --account-name $storageaccountname
#check rights:
az storage blob directory access show -d $dirname -c $filesystemName --account-name $storageaccountname
You could use an ad emailadress as a user as well.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.