Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Managed identities provide a secure and convenient way to authorize AzCopy operations without storing credentials or managing SAS tokens. This authentication method is particularly valuable for automated scripts, CI/CD pipelines, and applications running on Azure Virtual Machines or other Azure services.
This article shows you how to configure AzCopy to use either system-assigned or user-assigned managed identities. You'll learn to authorize access through environment variables, the AzCopy login command, or by leveraging existing Azure CLI or Azure PowerShell sessions.
To learn about other ways to authorize access to AzCopy, see Authorize AzCopy.
Verify role assignments
Ensure your managed identity has the required Azure role for your intended operations:
For download operations, use Storage Blob Data Reader (Blob Storage) or Storage File Data Privileged Reader (Azure Files).
For upload operations, use Storage Blob Data Contributor or Storage Blob Data Owner (Blob Storage) or Storage File Data Privileged Contributor (Azure Files)
For role assignment instructions, see Assign an Azure role for access to blob data (Blob Storage) or Choose how to authorize access to file data in the Azure portal (Azure Files).
Note
Role assignments can take up to five minutes to propagate.
If you're transferring blobs in an account that has a hierarchical namespace, you don't need to assign one of these roles to your security principal if you add your security principal to the access control list (ACL) of the target container or directory. In the ACL, your security principal needs write permission on the target directory, and execute permission on container and each parent directory. To learn more, see Access control model in Azure Data Lake Storage.
Authorize with environment variables
To authorize access, set in-memory environment variables. Then run any AzCopy command. AzCopy retrieves the authentication token required to complete the operation. After the operation completes, the token disappears from memory.
AzCopy retrieves the OAuth token by using the credentials that you provide. Alternatively, AzCopy can use the OAuth token of an active Azure CLI or Azure PowerShell session.
This option is great if you plan to use AzCopy inside of a script that runs without user interaction, and the script runs from an Azure Virtual Machine (VM). When using this option, you don't have to store any credentials on the VM.
You can sign in to your account by using a system-wide managed identity that you enable on your VM, or by using the client ID, object ID, or resource ID of a user-assigned managed identity that you assign to your VM.
To learn more about how to enable a system-wide managed identity or create a user-assigned managed identity, see Configure managed identities for Azure resources on a VM using the Azure portal.
Authorize with a system-wide managed identity
First, make sure that you enable a system-wide managed identity on your VM. For more information, see System-assigned managed identity.
Type the following command, then press ENTER.
Then, run any azcopy command (For example: azcopy list https://contoso.blob.core.windows.net).
Authorize with a user-assigned managed identity
First, make sure that you enable a user-assigned managed identity on your VM. For more information, see User-assigned managed identity.
Type the following command, then press ENTER.
Next, set environment variables for either the client ID, object ID, or resource ID of the user-assigned managed identity.
Use a client ID
To authorize by using a client ID, type the following command, then press ENTER.
Replace the <client-id> placeholder with the client ID of the user-assigned managed identity.
You can find the client ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the client ID property.
Use an object ID
To authorize by using an object ID, type the following command, then press ENTER.
Replace the <object-id> placeholder with the object ID of the user-assigned managed identity.
You can find the object ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the object ID (also called the principal ID).
Use a resource ID
To authorize by using a resource ID, type the following command, then press ENTER.
Replace the <resource-id> placeholder with the resource ID of the user-assigned managed identity.
You can find the resource ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the resource ID property.
Authorize with the AzCopy login command
Instead of using in-memory variables, you can authorize access by using the azcopy authentication login command.
The azcopy login command retrieves an OAuth token and then places that token into a secret store on your system. If your operating system doesn't have a secret store such as a Linux keyring, the azcopy authentication login command doesn't work because there's nowhere to place the token.
Authorize with a system-wide managed identity
First, make sure that you enable a system-wide managed identity on your VM. For more information, see System-assigned managed identity.
Then, in your command console, type the following command, and then press the ENTER key.
azcopy login --identity
Authorize with a user-assigned managed identity
First, make sure that you enable a user-assigned managed identity on your VM. See User-assigned managed identity. Then, sign in by using either the client ID, object ID, or resource ID of the user-assigned managed identity.
Sign in by using a client ID
Type the following command, then press ENTER.
azcopy login --identity --identity-client-id "<client-id>"
Replace the <client-id> placeholder with the client ID of the user-assigned managed identity.
You can find the client ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the client ID property.
Sign in by using an object ID
Type the following command, then press ENTER.
azcopy login --identity --identity-object-id "<object-id>"
Replace the <object-id> placeholder with the object ID of the user-assigned managed identity.
You can find the object ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the object ID (also called the principal ID).
Sign in by using a resource ID
Type the following command, then press ENTER.
azcopy login --identity --identity-resource-id "<resource-id>"
Replace the <resource-id> placeholder with the resource ID of the user-assigned managed identity.
You can find the resource ID in the Azure portal by viewing the properties of the managed identity. The following screenshot shows the location of the resource ID property.
Authorize with Azure CLI
When you sign in by using Azure CLI, Azure CLI gets an OAuth token that AzCopy uses to authorize operations.
To enable AzCopy to use that token, type the following command, and then press the ENTER key.
For more information about how to sign in with the Azure CLI, see Sign into Azure with a managed identity using Azure CLI.
Authorize with Azure PowerShell
If you sign in by using Azure PowerShell, then Azure PowerShell obtains an OAuth token that AzCopy can use to authorize operations.
To enable AzCopy to use that token, type the following command, and then press the ENTER key.
$Env:AZCOPY_AUTO_LOGIN_TYPE="PSCRED"
$Env:AZCOPY_TENANT_ID="<tenant-id>"
For more information about how to sign in with Azure PowerShell, see Login with a managed identity.
Next steps
For more information about AzCopy, see Get started with AzCopy.
If you have questions, issues, or general feedback, submit them on GitHub.