Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The storageAccounts/localUsers resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts/localUsers resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Storage/storageAccounts/localUsers@2024-01-01' = {
  parent: resourceSymbolicName
  name: 'string'
  properties: {
    allowAclAuthorization: bool
    extendedGroups: [
      int
    ]
    groupId: int
    hasSharedKey: bool
    hasSshKey: bool
    hasSshPassword: bool
    homeDirectory: 'string'
    isNFSv3Enabled: bool
    permissionScopes: [
      {
        permissions: 'string'
        resourceName: 'string'
        service: 'string'
      }
    ]
    sshAuthorizedKeys: [
      {
        description: 'string'
        key: 'string'
      }
    ]
  }
}
Property Values
Microsoft.Storage/storageAccounts/localUsers
| Name | Description | Value | 
|---|---|---|
| name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) | 
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. | Symbolic name for resource of type: storageAccounts | 
| properties | Storage account local user properties. | LocalUserProperties | 
LocalUserProperties
| Name | Description | Value | 
|---|---|---|
| allowAclAuthorization | Indicates whether ACL authorization is allowed for this user. Set it to false to disallow using ACL authorization. | bool | 
| extendedGroups | Supplementary group membership. Only applicable for local users enabled for NFSv3 access. | int[] | 
| groupId | An identifier for associating a group of users. | int | 
| hasSharedKey | Indicates whether shared key exists. Set it to false to remove existing shared key. | bool | 
| hasSshKey | Indicates whether ssh key exists. Set it to false to remove existing SSH key. | bool | 
| hasSshPassword | Indicates whether ssh password exists. Set it to false to remove existing SSH password. | bool | 
| homeDirectory | Optional, local user home directory. | string | 
| isNFSv3Enabled | Indicates if the local user is enabled for access with NFSv3 protocol. | bool | 
| permissionScopes | The permission scopes of the local user. | PermissionScope[] | 
| sshAuthorizedKeys | Optional, local user ssh authorized keys for SFTP. | SshPublicKey[] | 
PermissionScope
| Name | Description | Value | 
|---|---|---|
| permissions | The permissions for the local user. Possible values include: Read (r), Write (w), Delete (d), List (l), Create (c), Modify Ownership (o), and Modify Permissions (p). | string (required) | 
| resourceName | The name of resource, normally the container name or the file share name, used by the local user. | string (required) | 
| service | The service used by the local user, e.g. blob, file. | string (required) | 
SshPublicKey
| Name | Description | Value | 
|---|---|---|
| description | Optional. It is used to store the function/usage of the key | string | 
| key | Ssh public key base64 encoded. The format should be: '<keyType> <keyData>', e.g. ssh-rsa AAAABBBB | string | 
Usage Examples
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description | 
|---|---|
| Create Storage Account with SFTP enabled | Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based. | 
ARM template resource definition
The storageAccounts/localUsers resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts/localUsers resource, add the following JSON to your template.
{
  "type": "Microsoft.Storage/storageAccounts/localUsers",
  "apiVersion": "2024-01-01",
  "name": "string",
  "properties": {
    "allowAclAuthorization": "bool",
    "extendedGroups": [ "int" ],
    "groupId": "int",
    "hasSharedKey": "bool",
    "hasSshKey": "bool",
    "hasSshPassword": "bool",
    "homeDirectory": "string",
    "isNFSv3Enabled": "bool",
    "permissionScopes": [
      {
        "permissions": "string",
        "resourceName": "string",
        "service": "string"
      }
    ],
    "sshAuthorizedKeys": [
      {
        "description": "string",
        "key": "string"
      }
    ]
  }
}
Property Values
Microsoft.Storage/storageAccounts/localUsers
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2024-01-01' | 
| name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) | 
| properties | Storage account local user properties. | LocalUserProperties | 
| type | The resource type | 'Microsoft.Storage/storageAccounts/localUsers' | 
LocalUserProperties
| Name | Description | Value | 
|---|---|---|
| allowAclAuthorization | Indicates whether ACL authorization is allowed for this user. Set it to false to disallow using ACL authorization. | bool | 
| extendedGroups | Supplementary group membership. Only applicable for local users enabled for NFSv3 access. | int[] | 
| groupId | An identifier for associating a group of users. | int | 
| hasSharedKey | Indicates whether shared key exists. Set it to false to remove existing shared key. | bool | 
| hasSshKey | Indicates whether ssh key exists. Set it to false to remove existing SSH key. | bool | 
| hasSshPassword | Indicates whether ssh password exists. Set it to false to remove existing SSH password. | bool | 
| homeDirectory | Optional, local user home directory. | string | 
| isNFSv3Enabled | Indicates if the local user is enabled for access with NFSv3 protocol. | bool | 
| permissionScopes | The permission scopes of the local user. | PermissionScope[] | 
| sshAuthorizedKeys | Optional, local user ssh authorized keys for SFTP. | SshPublicKey[] | 
PermissionScope
| Name | Description | Value | 
|---|---|---|
| permissions | The permissions for the local user. Possible values include: Read (r), Write (w), Delete (d), List (l), Create (c), Modify Ownership (o), and Modify Permissions (p). | string (required) | 
| resourceName | The name of resource, normally the container name or the file share name, used by the local user. | string (required) | 
| service | The service used by the local user, e.g. blob, file. | string (required) | 
SshPublicKey
| Name | Description | Value | 
|---|---|---|
| description | Optional. It is used to store the function/usage of the key | string | 
| key | Ssh public key base64 encoded. The format should be: '<keyType> <keyData>', e.g. ssh-rsa AAAABBBB | string | 
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| Create Storage Account with SFTP enabled | Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based. | 
Terraform (AzAPI provider) resource definition
The storageAccounts/localUsers resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts/localUsers resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Storage/storageAccounts/localUsers@2024-01-01"
  name = "string"
  parent_id = "string"
  body = {
    properties = {
      allowAclAuthorization = bool
      extendedGroups = [
        int
      ]
      groupId = int
      hasSharedKey = bool
      hasSshKey = bool
      hasSshPassword = bool
      homeDirectory = "string"
      isNFSv3Enabled = bool
      permissionScopes = [
        {
          permissions = "string"
          resourceName = "string"
          service = "string"
        }
      ]
      sshAuthorizedKeys = [
        {
          description = "string"
          key = "string"
        }
      ]
    }
  }
}
Property Values
Microsoft.Storage/storageAccounts/localUsers
| Name | Description | Value | 
|---|---|---|
| name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) | 
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: storageAccounts | 
| properties | Storage account local user properties. | LocalUserProperties | 
| type | The resource type | "Microsoft.Storage/storageAccounts/localUsers@2024-01-01" | 
LocalUserProperties
| Name | Description | Value | 
|---|---|---|
| allowAclAuthorization | Indicates whether ACL authorization is allowed for this user. Set it to false to disallow using ACL authorization. | bool | 
| extendedGroups | Supplementary group membership. Only applicable for local users enabled for NFSv3 access. | int[] | 
| groupId | An identifier for associating a group of users. | int | 
| hasSharedKey | Indicates whether shared key exists. Set it to false to remove existing shared key. | bool | 
| hasSshKey | Indicates whether ssh key exists. Set it to false to remove existing SSH key. | bool | 
| hasSshPassword | Indicates whether ssh password exists. Set it to false to remove existing SSH password. | bool | 
| homeDirectory | Optional, local user home directory. | string | 
| isNFSv3Enabled | Indicates if the local user is enabled for access with NFSv3 protocol. | bool | 
| permissionScopes | The permission scopes of the local user. | PermissionScope[] | 
| sshAuthorizedKeys | Optional, local user ssh authorized keys for SFTP. | SshPublicKey[] | 
PermissionScope
| Name | Description | Value | 
|---|---|---|
| permissions | The permissions for the local user. Possible values include: Read (r), Write (w), Delete (d), List (l), Create (c), Modify Ownership (o), and Modify Permissions (p). | string (required) | 
| resourceName | The name of resource, normally the container name or the file share name, used by the local user. | string (required) | 
| service | The service used by the local user, e.g. blob, file. | string (required) | 
SshPublicKey
| Name | Description | Value | 
|---|---|---|
| description | Optional. It is used to store the function/usage of the key | string | 
| key | Ssh public key base64 encoded. The format should be: '<keyType> <keyData>', e.g. ssh-rsa AAAABBBB | string | 
Usage Examples
Terraform Samples
A basic example of deploying Storage Account Local User.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}
resource "azapi_resource" "storageAccount" {
  type      = "Microsoft.Storage/storageAccounts@2021-09-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    kind = "StorageV2"
    properties = {
      accessTier                   = "Hot"
      allowBlobPublicAccess        = true
      allowCrossTenantReplication  = true
      allowSharedKeyAccess         = true
      defaultToOAuthAuthentication = false
      encryption = {
        keySource = "Microsoft.Storage"
        services = {
          queue = {
            keyType = "Service"
          }
          table = {
            keyType = "Service"
          }
        }
      }
      isHnsEnabled      = false
      isNfsV3Enabled    = false
      isSftpEnabled     = false
      minimumTlsVersion = "TLS1_2"
      networkAcls = {
        defaultAction = "Allow"
      }
      publicNetworkAccess      = "Enabled"
      supportsHttpsTrafficOnly = true
    }
    sku = {
      name = "Standard_LRS"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
resource "azapi_resource" "localUser" {
  type      = "Microsoft.Storage/storageAccounts/localUsers@2021-09-01"
  parent_id = azapi_resource.storageAccount.id
  name      = var.resource_name
  body = {
    properties = {
      hasSshPassword = false,
      homeDirectory  = "containername/"
      hasSharedKey   = true,
      hasSshKey      = false,
      permissionScopes = [{
        permissions  = "cwl",
        service      = "blob",
        resourceName = "containername"
      }]
    }
  }
}
A generatepassword example of deploying Storage Account Local User.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001dfdg"
}
variable "location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}
resource "azapi_resource" "storageAccount" {
  type      = "Microsoft.Storage/storageAccounts@2021-09-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    kind = "StorageV2"
    properties = {
      accessTier                   = "Hot"
      allowBlobPublicAccess        = true
      allowCrossTenantReplication  = true
      allowSharedKeyAccess         = true
      defaultToOAuthAuthentication = false
      encryption = {
        keySource = "Microsoft.Storage"
        services = {
          queue = {
            keyType = "Service"
          }
          table = {
            keyType = "Service"
          }
        }
      }
      isHnsEnabled      = false
      isNfsV3Enabled    = false
      isSftpEnabled     = false
      minimumTlsVersion = "TLS1_2"
      networkAcls = {
        defaultAction = "Allow"
      }
      publicNetworkAccess      = "Enabled"
      supportsHttpsTrafficOnly = true
    }
    sku = {
      name = "Standard_LRS"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
resource "azapi_resource" "localUser" {
  type      = "Microsoft.Storage/storageAccounts/localUsers@2021-09-01"
  parent_id = azapi_resource.storageAccount.id
  name      = var.resource_name
  body = {
    properties = {
      hasSshPassword = true,
      homeDirectory  = "containername/"
      hasSharedKey   = true,
      hasSshKey      = false,
      permissionScopes = [{
        permissions  = "cwl",
        service      = "blob",
        resourceName = "containername"
      }]
    }
  }
}
resource "azapi_resource_action" "localUser" {
  type        = "Microsoft.Storage/storageAccounts/localUsers@2022-05-01"
  resource_id = azapi_resource.localUser.id
  action      = "regeneratePassword"
  body = {
    username = "TestUserName"
  }
  response_export_values = ["sshPassword"]
}