CloudWiki
Resource
Get a free AWS Well-Architected Assessment ->

Microsoft Azure

Storage Account

An Azure Storage Account is a cloud-based storage solution that can be used to store and manage data for applications and services hosted in Azure or on-premises. Azure Storage Account offers several types of data storage services, including Blob storage for unstructured data such as images, videos, and documents, File storage for file shares that can be accessed by multiple virtual machines, Queue storage for reliable messaging between application components, and Table storage for structured data storage that can be accessed using REST APIs. Azure Storage Account provides high durability, availability, and scalability, allowing users to store and manage large amounts of data. It also supports multiple data redundancy options, including locally redundant storage (LRS), zone-redundant storage (ZRS), geo-redundant storage (GRS), and read-access geo-redundant storage (RA-GRS), to protect data against hardware failures, natural disasters, or other unexpected events.‍
aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Terraform Name
terraform
azurerm_storage_account
Storage Account
attributes:

The following arguments are supported:

  • name - (Required) Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group.
  • resource_group_name - (Required) The name of the resource group in which to create the storage account. Changing this forces a new resource to be created.
  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
  • account_kind - (Optional) Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2.

NOTE:

Changing the account_kind value from Storage to StorageV2 will not trigger a force new on the storage account, it will only upgrade the existing storage account from Storage to StorageV2 keeping the existing storage account in place.

  • account_tier - (Required) Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created.

NOTE:

Blobs with a tier of Premium are of account kind StorageV2.

  • account_replication_type - (Required) Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS.
  • cross_tenant_replication_enabled - (Optional) Should cross Tenant replication be enabled? Defaults to true.
  • access_tier - (Optional) Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot.
  • edge_zone - (Optional) Specifies the Edge Zone within the Azure Region where this Storage Account should exist. Changing this forces a new Storage Account to be created.
  • enable_https_traffic_only - (Optional) Boolean flag which forces HTTPS if enabled, see here for more information. Defaults to true.
  • min_tls_version - (Optional) The minimum supported TLS version for the storage account. Possible values are TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_2 for new storage accounts.

NOTE:

At this time min_tls_version is only supported in the Public Cloud, China Cloud, and US Government Cloud.

  • allow_nested_items_to_be_public - (Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to true.

NOTE:

At this time allow_nested_items_to_be_public is only supported in the Public Cloud, China Cloud, and US Government Cloud.

  • shared_access_key_enabled - (Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is true.

Note:

Terraform uses Shared Key Authorisation to provision Storage Containers, Blobs and other items - when Shared Key Access is disabled, you will need to enable the storage_use_azuread flag in the Provider block to use Azure AD for authentication, however not all Azure Storage services support Active Directory authentication.

  • public_network_access_enabled - (Optional) Whether the public network access is enabled? Defaults to true.
  • default_to_oauth_authentication - (Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is false
  • is_hns_enabled - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 (see here for more information). Changing this forces a new resource to be created.

NOTE:

This can only be true when account_tier is Standard or when account_tier is Premium and account_kind is BlockBlobStorage

  • nfsv3_enabled - (Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to false.

NOTE:

This can only be true when account_tier is Standard and account_kind is StorageV2, or account_tier is Premium and account_kind is BlockBlobStorage. Additionally, the is_hns_enabled is true.

  • custom_domain - (Optional) A custom_domain block as documented below.
  • customer_managed_key - (Optional) A customer_managed_key block as documented below.
  • identity - (Optional) An identity block as defined below.
  • blob_properties - (Optional) A blob_properties block as defined below.
  • queue_properties - (Optional) A queue_properties block as defined below.

NOTE:

queue_properties cannot be set when the account_kind is set to BlobStorage

  • static_website - (Optional) A static_website block as defined below.

NOTE:

static_website can only be set when the account_kind is set to StorageV2 or BlockBlobStorage.

  • share_properties - (Optional) A share_properties block as defined below.
  • network_rules - (Optional) A network_rules block as documented below.
  • large_file_share_enabled - (Optional) Is Large File Share Enabled?
  • azure_files_authentication - (Optional) A azure_files_authentication block as defined below.
  • routing - (Optional) A routing block as defined below.
  • queue_encryption_key_type - (Optional) The encryption type of the queue service. Possible values are Service and Account. Changing this forces a new resource to be created. Default value is Service.
  • table_encryption_key_type - (Optional) The encryption type of the table service. Possible values are Service and Account. Changing this forces a new resource to be created. Default value is Service.

NOTE:

For the queue_encryption_key_type and table_encryption_key_type, the Account key type is only allowed when the account_kind is set to StorageV2

  • infrastructure_encryption_enabled - (Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to false.

NOTE:

This can only be true when account_kind is StorageV2 or when account_tier is Premium and account_kind is one of BlockBlobStorage or FileStorage.

  • immutability_policy - (Optional) An immutability_policy block as defined below. Changing this forces a new resource to be created.
  • sas_policy - (Optional) A sas_policy block as defined below.
  • allowed_copy_scope - (Optional) Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are AAD and PrivateLink.
  • sftp_enabled - (Optional) Boolean, enable SFTP for the storage account

NOTE:

SFTP support requires is_hns_enabled set to true. More information on SFTP support can be found here. Defaults to false

  • tags - (Optional) A mapping of tags to assign to the resource.

A blob_properties block supports the following:

  • cors_rule - (Optional) A cors_rule block as defined below.
  • delete_retention_policy - (Optional) A delete_retention_policy block as defined below.
  • restore_policy - (Optional) A restore_policy block as defined below. This must be used together with delete_retention_policy set, versioning_enabled and change_feed_enabled set to true.
  • versioning_enabled - (Optional) Is versioning enabled? Default to false.
  • change_feed_enabled - (Optional) Is the blob service properties for change feed events enabled? Default to false.
  • change_feed_retention_in_days - (Optional) The duration of change feed events retention in days. The possible values are between 1 and 146000 days (400 years). Setting this to null (or omit this in the configuration file) indicates an infinite retention of the change feed.
  • default_service_version - (Optional) The API Version which should be used by default for requests to the Data Plane API if an incoming request doesn't specify an API Version.
  • last_access_time_enabled - (Optional) Is the last access time based tracking enabled? Default to false.
  • container_delete_retention_policy - (Optional) A container_delete_retention_policy block as defined below.

A cors_rule block supports the following:

  • allowed_headers - (Required) A list of headers that are allowed to be a part of the cross-origin request.
  • allowed_methods - (Required) A list of HTTP methods that are allowed to be executed by the origin. Valid options are DELETE, GET, HEAD, MERGE, POST, OPTIONS, PUT or PATCH.
  • allowed_origins - (Required) A list of origin domains that will be allowed by CORS.
  • exposed_headers - (Required) A list of response headers that are exposed to CORS clients.
  • max_age_in_seconds - (Required) The number of seconds the client should cache a preflight response.

A custom_domain block supports the following:

  • name - (Required) The Custom Domain Name to use for the Storage Account, which will be validated by Azure.
  • use_subdomain - (Optional) Should the Custom Domain Name be validated by using indirect CNAME validation?

A customer_managed_key block supports the following:

  • key_vault_key_id - (Required) The ID of the Key Vault Key, supplying a version-less key ID will enable auto-rotation of this key.
  • user_assigned_identity_id - (Required) The ID of a user assigned identity.

NOTE:

customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.

A delete_retention_policy block supports the following:

  • days - (Optional) Specifies the number of days that the blob should be retained, between 1 and 365 days. Defaults to 7.

A restore_policy block supports the following:

  • days - (Required) Specifies the number of days that the blob can be restored, between 1 and 365 days. This must be less than the days specified for delete_retention_policy.

A container_delete_retention_policy block supports the following:

  • days - (Optional) Specifies the number of days that the container should be retained, between 1 and 365 days. Defaults to 7.

A hour_metrics block supports the following:

  • enabled - (Required) Indicates whether hour metrics are enabled for the Queue service.
  • version - (Required) The version of storage analytics to configure.
  • include_apis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.
  • retention_policy_days - (Optional) Specifies the number of days that logs will be retained.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
  • identity_ids - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.

NOTE:

This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

Note

The assigned principal_id and tenant_id can be retrieved after the identity type has been set to SystemAssigned and Storage Account has been created. More details are available below.

An immutability_policy block supports the following:

NOTE

: This argument specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy.

  • allow_protected_append_writes - (Required) When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
  • state - (Required) Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
  • period_since_creation_in_days - (Required) The immutability period for the blobs in the container since the policy creation, in days.

A logging block supports the following:

  • delete - (Required) Indicates whether all delete requests should be logged.
  • read - (Required) Indicates whether all read requests should be logged.
  • version - (Required) The version of storage analytics to configure.
  • write - (Required) Indicates whether all write requests should be logged.
  • retention_policy_days - (Optional) Specifies the number of days that logs will be retained.

A minute_metrics block supports the following:

  • enabled - (Required) Indicates whether minute metrics are enabled for the Queue service.
  • version - (Required) The version of storage analytics to configure.
  • include_apis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.
  • retention_policy_days - (Optional) Specifies the number of days that logs will be retained.

A network_rules block supports the following:

  • default_action - (Required) Specifies the default action of allow or deny when no other rules match. Valid options are Deny or Allow.
  • bypass - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None.
  • ip_rules - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. /31 CIDRs, /32 CIDRs, and Private IP address ranges (as defined in RFC 1918), are not allowed.
  • virtual_network_subnet_ids - (Optional) A list of resource ids for subnets.
  • private_link_access - (Optional) One or More private_link_access block as defined below.

Note:

If specifying network_rules, one of either ip_rules or virtual_network_subnet_ids must be specified and default_action must be set to Deny.

NOTE:

Network Rules can be defined either directly on the azurerm_storage_account resource, or using the azurerm_storage_account_network_rules resource - but the two cannot be used together. If both are used against the same Storage Account, spurious changes will occur. When managing Network Rules using this resource, to change from a default_action of Deny to Allow requires defining, rather than removing, the block.

Note:

The prefix of ip_rules must be between 0 and 30 and only supports public IP addresses.

Note:

More information on Validation is available here

A private_link_access block supports the following:

  • endpoint_resource_id - (Required) The resource id of the resource access rule to be granted access.
  • endpoint_tenant_id - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.

A azure_files_authentication block supports the following:

  • directory_type - (Required) Specifies the directory service used. Possible values are AADDS, AD and AADKERB.
  • active_directory - (Optional) A active_directory block as defined below. Required when directory_type is AD.

Note:

If directory_type is set to AADKERB, active_directory is not supported. Use icals to configure directory and file level permissions.

A active_directory block supports the following:

  • storage_sid - (Required) Specifies the security identifier (SID) for Azure Storage.
  • domain_name - (Required) Specifies the primary domain that the AD DNS server is authoritative for.
  • domain_sid - (Required) Specifies the security identifier (SID).
  • domain_guid - (Required) Specifies the domain GUID.
  • forest_name - (Required) Specifies the Active Directory forest.
  • netbios_domain_name - (Required) Specifies the NetBIOS domain name.

A routing block supports the following:

  • publish_internet_endpoints - (Optional) Should internet routing storage endpoints be published? Defaults to false.
  • publish_microsoft_endpoints - (Optional) Should Microsoft routing storage endpoints be published? Defaults to false.
  • choice - (Optional) Specifies the kind of network routing opted by the user. Possible values are InternetRouting and MicrosoftRouting. Defaults to MicrosoftRouting.

A queue_properties block supports the following:

  • cors_rule - (Optional) A cors_rule block as defined above.
  • logging - (Optional) A logging block as defined below.
  • minute_metrics - (Optional) A minute_metrics block as defined below.
  • hour_metrics - (Optional) A hour_metrics block as defined below.

A sas_policy block supports the following:

  • expiration_period - (Required) The SAS expiration period in format of DD.HH:MM:SS.
  • expiration_action - (Optional) The SAS expiration action. The only possible value is Log at this moment. Defaults to Log.

A static_website block supports the following:

  • index_document - (Optional) The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive.
  • error_404_document - (Optional) The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file.

A share_properties block supports the following:

  • cors_rule - (Optional) A cors_rule block as defined below.
  • retention_policy - (Optional) A retention_policy block as defined below.
  • smb - (Optional) A smb block as defined below.

A retention_policy block supports the following:

  • days - (Optional) Specifies the number of days that the azurerm_storage_share should be retained, between 1 and 365 days. Defaults to 7.

A smb block supports the following:

  • versions - (Optional) A set of SMB protocol versions. Possible values are SMB2.1, SMB3.0, and SMB3.1.1.
  • authentication_types - (Optional) A set of SMB authentication methods. Possible values are NTLMv2, and Kerberos.
  • kerberos_ticket_encryption_type - (Optional) A set of Kerberos ticket encryption. Possible values are RC4-HMAC, and AES-256.
  • channel_encryption_type - (Optional) A set of SMB channel encryption. Possible values are AES-128-CCM, AES-128-GCM, and AES-256-GCM.
  • multichannel_enabled - (Optional) Indicates whether multichannel is enabled. Defaults to false. This is only supported on Premium storage accounts.

Associating resources with a
Storage Account
Resources do not "belong" to a
Storage Account
Rather, one or more Security Groups are associated to a resource.
Create
Storage Account
via Terraform:
The following HCL manages an Azure storage account
Syntax:

resource "azurerm_resource_group" "example" {
 name     = "example-resources"
 location = "West Europe"
}

resource "azurerm_storage_account" "example" {
 name                     = "storageaccountname"
 resource_group_name      = azurerm_resource_group.example.name
 location                 = azurerm_resource_group.example.location
 account_tier             = "Standard"
 account_replication_type = "GRS"

 tags = {
   environment = "staging"
 }
}

Create
Storage Account
via CLI:
Parametres:

az storage account create --name
                         --resource-group
                         [--access-tier {Cool, Hot, Premium}]
                         [--account-type]
                         [--action]
                         [--allow-append {false, true}]
                         [--allow-blob-public-access {false, true}]
                         [--allow-cross-tenant-replication {false, true}]
                         [--allow-shared-key-access {false, true}]
                         [--assign-identity]
                         [--azure-storage-sid]
                         [--bypass {AzureServices, Logging, Metrics, None}]
                         [--custom-domain]
                         [--default-action {Allow, Deny}]
                         [--default-share-permission {None, StorageFileDataSmbShareContributor, StorageFileDataSmbShareElevatedContributor, StorageFileDataSmbShareReader}]
                         [--dns-endpoint-type {AzureDnsZone, Standard}]
                         [--domain-guid]
                         [--domain-name]
                         [--domain-sid]
                         [--edge-zone]
                         [--enable-alw {false, true}]
                         [--enable-files-aadds {false, true}]
                         [--enable-files-aadkerb {false, true}]
                         [--enable-files-adds {false, true}]
                         [--enable-hierarchical-namespace {false, true}]
                         [--enable-large-file-share]
                         [--enable-local-user {false, true}]
                         [--enable-nfs-v3 {false, true}]
                         [--enable-sftp {false, true}]
                         [--encryption-key-name]
                         [--encryption-key-source {Microsoft.Keyvault, Microsoft.Storage}]
                         [--encryption-key-type-for-queue {Account, Service}]
                         [--encryption-key-type-for-table {Account, Service}]
                         [--encryption-key-vault]
                         [--encryption-key-version]
                         [--encryption-services {blob, file, queue, table}]
                         [--forest-name]
                         [--https-only {false, true}]
                         [--identity-type {None, SystemAssigned, SystemAssigned,UserAssigned, UserAssigned}]
                         [--immutability-period]
                         [--immutability-state {Disabled, Locked, Unlocked}]
                         [--key-exp-days]
                         [--key-vault-federated-client-id]
                         [--key-vault-user-identity-id]
                         [--kind {BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2}]
                         [--location]
                         [--min-tls-version {TLS1_0, TLS1_1, TLS1_2}]
                         [--net-bios-domain-name]
                         [--public-network-access {Disabled, Enabled}]
                         [--publish-internet-endpoints {false, true}]
                         [--publish-microsoft-endpoints {false, true}]
                         [--require-infrastructure-encryption {false, true}]
                         [--routing-choice {InternetRouting, MicrosoftRouting}]
                         [--sam-account-name]
                         [--sas-exp]
                         [--sku {Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS}]
                         [--subnet]
                         [--tags]
                         [--user-identity-id]
                         [--vnet-name]

Example:

az storage account create -n mystorageaccount -g MyResourceGroup -l westus --sku Standard_LRS

Best Practices for
Storage Account

Categorized by Availability, Security & Compliance and Cost

No items found.
Explore all the rules our platform covers
Related blog posts