Azure Storage

Overview of the Azure Storage service

Overview

Azure Storage is similar to AWS S3
It stores any type of text or binary data, such as a document, media file, or application installer
You can set Blob storage for private access or share contents publicly to the Internet
The "files" are called "blobs"

Azure Subscription
└── Storage Account(s) - zero or more
    └── Container(s) - zero or more
        └── Blob(s) - zero or more (these are your files)

Authentication Methods

These authentication methods do not apply when the blob or container have been made publicly accessible

There are three methods for obtaining access to Azure Storage

Microsoft Entra Credentials

This is the most secure and recommended approach

Storage permissions can be assigned to an Entra security principal (user/group/app/managed identity)

Account Access Key

These are highly sensitive and if exposed allow full access to all data in the storage account

When an Azure Storage account gets created, two keys are generated which provides full access to all data in the storage account
Therefore these should be monitored and protected well

SAS (Shared Access Signature) Token

A shareable link that enables granting limited access to containers in blobs within a storage account
This is similar to AWS S3 PreSigned URLs
Either an Azure Storage Account Access Key or Entra credentials can be used as the signing key to generate this token

CLI Cheat Sheet

Storage Accounts

Enumerate Storage Account Access Keys

az storage account keys list --account-name <storage-account-name>

Enumerate Storage Accounts

az storage account list
az storage account list --resource-group <rg-name>

Storage Containers

List Storage Containers

Get account-name from az storage account list | jq -r '.[].name'

az storage container list --account-name <storage-acct-name>
az storage container list --account-name <storage-acct-name> --include-deleted

Restore Deleted Storage Container

az storage container restore --account-name <storage-acct-name> --name <container-name> --deleted-version <deleted-container-version>

Check if Versioning is Enabled on Container

Like AWS S3 objects, Azure supports versioning of data too

az storage account blob-service-properties show \
    --account-name <storage-acct-name> \
    --resource-group <rg-name> \
    | jq -r '.isVersioningEnabled'

Blobs (files)

View Blobs in Container

Get container-name from az storage container list... jq -r '.[].name'

az storage blob list --account-name <storage-acct-name> --container-name <container-name> --output table

Check Available Blob Versions

--include v shows versions of the blobs

az storage blob list \
    --account-name <storage-acct-name> \
    --container-name <container-name> \
    --include v

Stream Blob Content

View file contents without downloading the file

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download>

Get version-id from checking the blob versions

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --version-id <blob-version>

Download Blobs

Downloads the file to the destination

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination>

Get version-id from checking the blob versions

az storage blob download --account-name <storage-acct-name> --container-name <container-name> --name <file-to-download> --file ./<file-destination> --version-id <blob-version>

PreviousAzure General Info NextAzure SQL Database

Last updated 11 days ago

Was this helpful?