Thursday, March 26, 2026

 The following sample script illustrates how to control the access to containers and folders inside a storage account such as Azure Data Lake Storage so that users with only Reader control plane access can be allowed access to individual folders and files at that fine-granular level.

Script begins:

#!/usr/bin/bash

subscriptionid=

az account set --subscription "$subscriptionid"

accountkey=

accountname=

cradle=

domesticrw=

domesticro=

globalro=

globalrw=

removegroup1=

removegroup2=

if [[ -n "$domesticrw" ]] && ! [[ "$domesticrw" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating domesticrw=$domesticrw"

  domesticrw=$(az ad group list --filter "displayName eq '$domesticrw'" --query "[0].id" --output tsv)

  echo "domesticrw=$domesticrw"

fi

if [[ -n "$domesticro" ]] && ! [[ "$domesticro" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating domesticro=$domesticro"

  domesticro=$(az ad group list --filter "displayName eq '$domesticro'" --query "[0].id" --output tsv)

  echo "domesticro=$domesticro"

fi

if [[ -n "$globalrw" ]] && ! [[ "$globalrw" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating globalrw=$globalrw"

  globalrw=$(az ad group list --filter "displayName eq '$globalrw'" --query "[0].id" --output tsv)

  echo "globalrw=$globalrw"

fi

if [[ -n "$globalro" ]] && ! [[ "$globalro" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating globalrw=$globalro"

  globalro=$(az ad group list --filter "displayName eq '$globalro'" --query "[0].id" --output tsv)

  echo "globalro=$globalro"

fi

if [[ -n "$removegroup1" ]] && ! [[ "$removegroup1" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating removegroup1=$removegroup1"

  removegroup1=$(az ad group list --filter "displayName eq '$removegroup1'" --query "[0].id" --output tsv)

  echo "removegroup1=$removegroup1"

fi

if [[ -n "$removegroup2" ]] && ! [[ "$removegroup2" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ ]]; then

  echo "translating removegroup1=$removegroup2"

  removegroup2=$(az ad group list --filter "displayName eq '$removegroup2'" --query "[0].id" --output tsv)

  echo "removegroup2=$removegroup2"

fi

echo "domesticrw="$domesticrw""

echo "domesticro="$domesticro""

echo "globalro="$globalro""

echo "globalrw="$globalrw""

echo "removegroup1="$removegroup1""

echo "removegroup2="$removegroup2""

echo "create container, if not exists"

az storage container create -n $cradle --account-name "$accountname" --account-key "$accountkey"

echo "container exists, acling..."

[[ -n "$globalro" ]] && [[ -n "$domesticro" ]] && az storage fs access set --acl "group:"$globalro":r-x,group:"$domesticro":r-x" -p "/" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$domesticro" ]] && az storage fs access update-recursive --acl "group:"$domesticro":r-x,default:user:"$domesticro":r-x" -p "/" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

echo "container acl'ed."

echo "creating global and domestic folders..."

az storage fs directory create -n domestic -f "$cradle" --account-name "$accountname" --account-key "$accountkey" --only-show-errors

az storage fs directory create -n global -f "$cradle" --account-name "$accountname" --account-key "$accountkey" --only-show-errors

echo "folders exist, remove existing acls..."

echo "beginning remove"

[[ -n "$removegroup1" ]] && az storage fs access remove-recursive --acl "group:"$removegroup1"" -p "domestic" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$removegroup2" ]] && az storage fs access remove-recursive --acl "group:"$removegroup2"" -p "domestic" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$removegroup1" ]] && az storage fs access remove-recursive --acl "group:"$removegroup1"" -p "global" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$removegroup2" ]] && az storage fs access remove-recursive --acl "group:"$removegroup2"" -p "global" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

echo "ending remove"

echo "folders exist, acling..."

[[ -n "$domesticrw" ]] && az storage fs access update-recursive --acl "group:"$domesticrw":rwx,default:user:"$domesticrw":rwx" -p "domestic" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$domesticro" ]] && az storage fs access update-recursive --acl "group:"$domesticro":r-x,default:user:"$domesticro":r-x" -p "domestic" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$globalrw" ]] && az storage fs access update-recursive --acl "group:"$globalrw":rwx,default:user:"$globalrw":rwx" -p "global" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

[[ -n "$globalro" ]] && az storage fs access update-recursive --acl "group:"$globalro":r-x,default:user:"$globalro":r-x" -p "global" -f "$cradle" --account-name "$accountname" --account-key "$accountkey"

echo "folders acl'ed."

Sample log:

-----

translating domesticro=AZU_PI_Domestic_RO_DSS_U2

domesticro=d39e64e3-4c72-4d7b-83fd-5bdba321629b

translating globalrw=AZU_PI_Global_RO_DSS_U2

globalro=d2683e46-9f59-4cc4-9a77-f95e5bdf8a6d

translating removegroup1=AZU_PI_Domestic_RW_DM

removegroup1=20be57b0-157a-4b59-88ce-086dab652d57

translating removegroup1=AZU_PI_Global_RW_DM

removegroup2=5b5ed4b3-9462-43fc-94aa-80dc00d3c02d

domesticrw=

domesticro=d39e64e3-4c72-4d7b-83fd-5bdba321629b

globalro=d2683e46-9f59-4cc4-9a77-f95e5bdf8a6d

globalrw=

removegroup1=20be57b0-157a-4b59-88ce-086dab652d57

removegroup2=5b5ed4b3-9462-43fc-94aa-80dc00d3c02d

create container, if not exists

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "created": false

}

container exists, acling...

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "client_request_id": "5761d34a-27cd-11f1-97a9-8ef5922a9147",

  "date": "2026-03-24T22:03:51+00:00",

  "etag": "\"0x8DE89ED2F7CA9FC\"",

  "last_modified": "2026-03-24T21:34:53+00:00",

  "request_id": "b72d61e2-c01f-0038-26da-bb0186000000",

  "version": "2021-08-06"

}

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "continuation": null,

  "counters": {

    "directoriesSuccessful": 3,

    "failureCount": 0,

    "filesSuccessful": 0

  },

  "failedEntries": []

}

container acl'ed.

creating global and domestic folders...

{

  "content_length": 0,

  "continuation": null,

  "date": "2026-03-24T22:03:54+00:00",

  "encryption_key_sha256": null,

  "etag": "\"0x8DE89F13E05F710\"",

  "last_modified": "2026-03-24T22:03:55+00:00",

  "request_id": "63228947-f01f-0019-58da-bb6cb7000000",

  "request_server_encrypted": true,

  "version": "2021-08-06"

}

{

  "content_length": 0,

  "continuation": null,

  "date": "2026-03-24T22:03:56+00:00",

  "encryption_key_sha256": null,

  "etag": "\"0x8DE89F13EF8F98C\"",

  "last_modified": "2026-03-24T22:03:56+00:00",

  "request_id": "89334994-001f-0084-34da-bb16f7000000",

  "request_server_encrypted": true,

  "version": "2021-08-06"

}

folders exist, remove existing acls...

beginning remove

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "continuation": null,

  "counters": {

    "directoriesSuccessful": 1,

    "failureCount": 0,

    "filesSuccessful": 0

  },

  "failedEntries": []

}

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "continuation": null,

  "counters": {

    "directoriesSuccessful": 1,

    "failureCount": 0,

    "filesSuccessful": 0

  },

  "failedEntries": []

}

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "continuation": null,

  "counters": {

    "directoriesSuccessful": 1,

    "failureCount": 0,

    "filesSuccessful": 0

  },

  "failedEntries": []

}

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "continuation": null,

  "counters": {

    "directoriesSuccessful": 1,

    "failureCount": 0,

    "filesSuccessful": 0

  },

  "failedEntries": []

}

ending remove

folders exist, acling...

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "continuation": null,

  "counters": {

    "directoriesSuccessful": 1,

    "failureCount": 0,

    "filesSuccessful": 0

  },

  "failedEntries": []

}

Command group 'az storage' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

{

  "continuation": null,

  "counters": {

    "directoriesSuccessful": 1,

    "failureCount": 0,

    "filesSuccessful": 0

  },

  "failedEntries": []

}

folders acl'ed.

Reference:

1. Online documentation on acls: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)