0
# Security and Access Management
1
2
Management of private endpoints, local users for SFTP access, encryption scopes, and network security configurations. These features provide comprehensive security controls for Azure Storage accounts.
3
4
## Capabilities
5
6
### Private Endpoint Management
7
8
Configure private endpoints for secure, private connectivity to storage accounts over Azure's backbone network.
9
10
```python { .api }
11
class PrivateEndpointConnectionsOperations:
12
def put(
13
self,
14
resource_group_name: str,
15
account_name: str,
16
private_endpoint_connection_name: str,
17
properties: PrivateEndpointConnection
18
) -> PrivateEndpointConnection:
19
"""
20
Updates the state of specified private endpoint connection.
21
22
Parameters:
23
- resource_group_name: Name of the resource group
24
- account_name: Name of the storage account
25
- private_endpoint_connection_name: Name of the private endpoint connection
26
- properties: Private endpoint connection properties
27
28
Returns:
29
Updated PrivateEndpointConnection
30
"""
31
32
def get(
33
self,
34
resource_group_name: str,
35
account_name: str,
36
private_endpoint_connection_name: str
37
) -> PrivateEndpointConnection:
38
"""
39
Gets the specified private endpoint connection.
40
41
Parameters:
42
- resource_group_name: Name of the resource group
43
- account_name: Name of the storage account
44
- private_endpoint_connection_name: Name of the private endpoint connection
45
46
Returns:
47
PrivateEndpointConnection details
48
"""
49
50
def delete(
51
self,
52
resource_group_name: str,
53
account_name: str,
54
private_endpoint_connection_name: str
55
) -> None:
56
"""
57
Deletes the specified private endpoint connection.
58
59
Parameters:
60
- resource_group_name: Name of the resource group
61
- account_name: Name of the storage account
62
- private_endpoint_connection_name: Name of the private endpoint connection
63
"""
64
65
def list(
66
self,
67
resource_group_name: str,
68
account_name: str
69
) -> ItemPaged[PrivateEndpointConnection]:
70
"""
71
Lists all private endpoint connections for a storage account.
72
73
Parameters:
74
- resource_group_name: Name of the resource group
75
- account_name: Name of the storage account
76
77
Returns:
78
Paginated list of PrivateEndpointConnection objects
79
"""
80
```
81
82
Usage example:
83
84
```python
85
from azure.mgmt.storage.models import (
86
PrivateEndpointConnection, PrivateLinkServiceConnectionState,
87
PrivateEndpointServiceConnectionStatus
88
)
89
90
# Approve a private endpoint connection
91
connection_state = PrivateLinkServiceConnectionState(
92
status=PrivateEndpointServiceConnectionStatus.APPROVED,
93
description="Approved for secure access"
94
)
95
96
private_endpoint_conn = PrivateEndpointConnection(
97
private_link_service_connection_state=connection_state
98
)
99
100
approved_connection = client.private_endpoint_connections.put(
101
resource_group_name="my-resource-group",
102
account_name="mystorageaccount123",
103
private_endpoint_connection_name="my-private-endpoint",
104
properties=private_endpoint_conn
105
)
106
107
# List all private endpoint connections
108
connections = list(client.private_endpoint_connections.list(
109
resource_group_name="my-resource-group",
110
account_name="mystorageaccount123"
111
))
112
113
for conn in connections:
114
print(f"Connection: {conn.name}, Status: {conn.private_link_service_connection_state.status}")
115
```
116
117
### Private Link Resources
118
119
Discover available private link resources and their configuration details.
120
121
```python { .api }
122
class PrivateLinkResourcesOperations:
123
def list_by_storage_account(
124
self,
125
resource_group_name: str,
126
account_name: str
127
) -> PrivateLinkResourceListResult:
128
"""
129
Gets the private link resources that need to be created for a storage account.
130
131
Parameters:
132
- resource_group_name: Name of the resource group
133
- account_name: Name of the storage account
134
135
Returns:
136
PrivateLinkResourceListResult containing available resources
137
"""
138
```
139
140
### Local User Management (SFTP)
141
142
Manage local user accounts for SFTP access to Azure Blob storage.
143
144
```python { .api }
145
class LocalUsersOperations:
146
def create_or_update(
147
self,
148
resource_group_name: str,
149
account_name: str,
150
username: str,
151
properties: LocalUser
152
) -> LocalUser:
153
"""
154
Creates or updates a local user account for SFTP access.
155
156
Parameters:
157
- resource_group_name: Name of the resource group
158
- account_name: Name of the storage account
159
- username: Username for the local user account
160
- properties: Local user properties and configuration
161
162
Returns:
163
Created or updated LocalUser
164
"""
165
166
def get(
167
self,
168
resource_group_name: str,
169
account_name: str,
170
username: str
171
) -> LocalUser:
172
"""
173
Gets the specified local user.
174
175
Parameters:
176
- resource_group_name: Name of the resource group
177
- account_name: Name of the storage account
178
- username: Username of the local user
179
180
Returns:
181
LocalUser details
182
"""
183
184
def delete(
185
self,
186
resource_group_name: str,
187
account_name: str,
188
username: str
189
) -> None:
190
"""
191
Deletes the specified local user.
192
193
Parameters:
194
- resource_group_name: Name of the resource group
195
- account_name: Name of the storage account
196
- username: Username of the local user to delete
197
"""
198
199
def list(
200
self,
201
resource_group_name: str,
202
account_name: str,
203
include: Optional[ListLocalUserIncludeParam] = None
204
) -> ItemPaged[LocalUser]:
205
"""
206
Lists local users for a storage account.
207
208
Parameters:
209
- resource_group_name: Name of the resource group
210
- account_name: Name of the storage account
211
- include: Optional list of local user properties to include
212
213
Returns:
214
Paginated list of LocalUser objects
215
"""
216
217
def list_keys(
218
self,
219
resource_group_name: str,
220
account_name: str,
221
username: str
222
) -> LocalUserKeys:
223
"""
224
Lists the SSH public keys for the specified local user.
225
226
Parameters:
227
- resource_group_name: Name of the resource group
228
- account_name: Name of the storage account
229
- username: Username of the local user
230
231
Returns:
232
LocalUserKeys containing SSH public keys
233
"""
234
235
def regenerate_password(
236
self,
237
resource_group_name: str,
238
account_name: str,
239
username: str
240
) -> LocalUserRegeneratePasswordResult:
241
"""
242
Regenerates the password for the specified local user.
243
244
Parameters:
245
- resource_group_name: Name of the resource group
246
- account_name: Name of the storage account
247
- username: Username of the local user
248
249
Returns:
250
LocalUserRegeneratePasswordResult with new password
251
"""
252
```
253
254
Usage example:
255
256
```python
257
from azure.mgmt.storage.models import (
258
LocalUser, SshPublicKey, PermissionScope
259
)
260
261
# Create SSH public key for authentication
262
ssh_key = SshPublicKey(
263
description="Development key",
264
key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB... user@machine"
265
)
266
267
# Define access permissions for containers
268
permission_scope = PermissionScope(
269
permissions="rwd", # read, write, delete
270
service="blob",
271
resource_name="data-container"
272
)
273
274
# Create local user for SFTP access
275
local_user = LocalUser(
276
properties=LocalUserProperties(
277
permission_scopes=[permission_scope],
278
ssh_authorized_keys=[ssh_key],
279
has_shared_key=False, # Use SSH keys only
280
has_ssh_key=True,
281
has_ssh_password=False
282
)
283
)
284
285
created_user = client.local_users.create_or_update(
286
resource_group_name="my-resource-group",
287
account_name="mystorageaccount123",
288
username="sftp-user-01",
289
properties=local_user
290
)
291
292
# List all local users
293
users = list(client.local_users.list(
294
resource_group_name="my-resource-group",
295
account_name="mystorageaccount123"
296
))
297
298
for user in users:
299
print(f"User: {user.name}, Has SSH Key: {user.properties.has_ssh_key}")
300
301
# Get SSH keys for a user
302
keys = client.local_users.list_keys(
303
resource_group_name="my-resource-group",
304
account_name="mystorageaccount123",
305
username="sftp-user-01"
306
)
307
```
308
309
### Encryption Scope Management
310
311
Manage customer-managed encryption scopes for granular encryption control.
312
313
```python { .api }
314
class EncryptionScopesOperations:
315
def put(
316
self,
317
resource_group_name: str,
318
account_name: str,
319
encryption_scope_name: str,
320
encryption_scope: EncryptionScope
321
) -> EncryptionScope:
322
"""
323
Creates or updates an encryption scope.
324
325
Parameters:
326
- resource_group_name: Name of the resource group
327
- account_name: Name of the storage account
328
- encryption_scope_name: Name of the encryption scope
329
- encryption_scope: Encryption scope properties
330
331
Returns:
332
Created or updated EncryptionScope
333
"""
334
335
def patch(
336
self,
337
resource_group_name: str,
338
account_name: str,
339
encryption_scope_name: str,
340
encryption_scope: EncryptionScope
341
) -> EncryptionScope:
342
"""
343
Updates properties of an existing encryption scope.
344
345
Parameters:
346
- resource_group_name: Name of the resource group
347
- account_name: Name of the storage account
348
- encryption_scope_name: Name of the encryption scope
349
- encryption_scope: Updated encryption scope properties
350
351
Returns:
352
Updated EncryptionScope
353
"""
354
355
def get(
356
self,
357
resource_group_name: str,
358
account_name: str,
359
encryption_scope_name: str
360
) -> EncryptionScope:
361
"""
362
Gets the specified encryption scope.
363
364
Parameters:
365
- resource_group_name: Name of the resource group
366
- account_name: Name of the storage account
367
- encryption_scope_name: Name of the encryption scope
368
369
Returns:
370
EncryptionScope details
371
"""
372
373
def list(
374
self,
375
resource_group_name: str,
376
account_name: str,
377
maxpagesize: Optional[int] = None,
378
filter: Optional[str] = None,
379
include: Optional[ListEncryptionScopesInclude] = None
380
) -> ItemPaged[EncryptionScope]:
381
"""
382
Lists all encryption scopes for a storage account.
383
384
Parameters:
385
- resource_group_name: Name of the resource group
386
- account_name: Name of the storage account
387
- maxpagesize: Maximum number of results per page
388
- filter: OData filter expression
389
- include: Include additional properties
390
391
Returns:
392
Paginated list of EncryptionScope objects
393
"""
394
```
395
396
Usage example:
397
398
```python
399
from azure.mgmt.storage.models import (
400
EncryptionScope, EncryptionScopeSource, EncryptionScopeState,
401
EncryptionScopeKeyVaultProperties
402
)
403
404
# Create encryption scope using Microsoft-managed keys
405
ms_managed_scope = EncryptionScope(
406
properties=EncryptionScopeProperties(
407
source=EncryptionScopeSource.MICROSOFT_STORAGE,
408
state=EncryptionScopeState.ENABLED,
409
require_infrastructure_encryption=True
410
)
411
)
412
413
created_scope = client.encryption_scopes.put(
414
resource_group_name="my-resource-group",
415
account_name="mystorageaccount123",
416
encryption_scope_name="ms-managed-scope",
417
encryption_scope=ms_managed_scope
418
)
419
420
# Create encryption scope using customer-managed keys from Key Vault
421
kv_properties = EncryptionScopeKeyVaultProperties(
422
key_uri="https://myvault.vault.azure.net/keys/mykey/version",
423
current_versioned_key_identifier="https://myvault.vault.azure.net/keys/mykey/abc123"
424
)
425
426
customer_managed_scope = EncryptionScope(
427
properties=EncryptionScopeProperties(
428
source=EncryptionScopeSource.MICROSOFT_KEY_VAULT,
429
state=EncryptionScopeState.ENABLED,
430
key_vault_properties=kv_properties
431
)
432
)
433
434
client.encryption_scopes.put(
435
resource_group_name="my-resource-group",
436
account_name="mystorageaccount123",
437
encryption_scope_name="customer-managed-scope",
438
encryption_scope=customer_managed_scope
439
)
440
441
# List all encryption scopes
442
scopes = list(client.encryption_scopes.list(
443
resource_group_name="my-resource-group",
444
account_name="mystorageaccount123"
445
))
446
447
for scope in scopes:
448
print(f"Scope: {scope.name}, Source: {scope.properties.source}, State: {scope.properties.state}")
449
```
450
451
### Network Security Perimeter Configurations
452
453
Manage network security perimeter configurations for advanced network isolation.
454
455
```python { .api }
456
class NetworkSecurityPerimeterConfigurationsOperations:
457
def get(
458
self,
459
resource_group_name: str,
460
account_name: str,
461
network_security_perimeter_configuration_name: str
462
) -> NetworkSecurityPerimeterConfiguration:
463
"""
464
Gets effective NetworkSecurityPerimeterConfiguration for association.
465
466
Parameters:
467
- resource_group_name: Name of the resource group
468
- account_name: Name of the storage account
469
- network_security_perimeter_configuration_name: Name of the configuration
470
471
Returns:
472
NetworkSecurityPerimeterConfiguration details
473
"""
474
475
def list(
476
self,
477
resource_group_name: str,
478
account_name: str
479
) -> ItemPaged[NetworkSecurityPerimeterConfiguration]:
480
"""
481
Lists NetworkSecurityPerimeterConfigurations for a storage account.
482
483
Parameters:
484
- resource_group_name: Name of the resource group
485
- account_name: Name of the storage account
486
487
Returns:
488
Paginated list of network security perimeter configurations
489
"""
490
491
def begin_reconcile(
492
self,
493
resource_group_name: str,
494
account_name: str,
495
network_security_perimeter_configuration_name: str
496
) -> LROPoller[None]:
497
"""
498
Refreshes any information about the association.
499
500
Parameters:
501
- resource_group_name: Name of the resource group
502
- account_name: Name of the storage account
503
- network_security_perimeter_configuration_name: Name of the configuration
504
"""
505
```
506
507
## Types
508
509
```python { .api }
510
class PrivateEndpointConnection:
511
"""Private endpoint connection resource."""
512
id: str
513
name: str
514
type_: str
515
properties: PrivateEndpointConnectionProperties
516
517
class PrivateEndpointConnectionProperties:
518
"""Properties of private endpoint connection."""
519
private_endpoint: PrivateEndpoint
520
private_link_service_connection_state: PrivateLinkServiceConnectionState
521
provisioning_state: PrivateEndpointConnectionProvisioningState
522
523
class PrivateLinkServiceConnectionState:
524
"""Connection state of private endpoint."""
525
status: PrivateEndpointServiceConnectionStatus
526
description: str
527
action_required: str
528
529
class LocalUser:
530
"""Local user account for SFTP access."""
531
id: str
532
name: str
533
type_: str
534
system_data: SystemData
535
properties: LocalUserProperties
536
537
class LocalUserProperties:
538
"""Properties of a local user."""
539
permission_scopes: List[PermissionScope]
540
home_directory: str
541
ssh_authorized_keys: List[SshPublicKey]
542
has_shared_key: bool
543
has_ssh_key: bool
544
has_ssh_password: bool
545
546
class PermissionScope:
547
"""Permission scope for local user."""
548
permissions: str # Combination of 'r', 'w', 'd', 'l', 'c'
549
service: str # "blob"
550
resource_name: str # Container name
551
552
class SshPublicKey:
553
"""SSH public key for authentication."""
554
description: str
555
key: str
556
557
class EncryptionScope:
558
"""Encryption scope resource."""
559
id: str
560
name: str
561
type_: str
562
properties: EncryptionScopeProperties
563
564
class EncryptionScopeProperties:
565
"""Properties of an encryption scope."""
566
source: EncryptionScopeSource
567
state: EncryptionScopeState
568
creation_time: datetime
569
last_modified_time: datetime
570
key_vault_properties: EncryptionScopeKeyVaultProperties
571
require_infrastructure_encryption: bool
572
573
class EncryptionScopeSource(str, Enum):
574
"""Source of encryption keys."""
575
MICROSOFT_STORAGE = "Microsoft.Storage"
576
MICROSOFT_KEY_VAULT = "Microsoft.KeyVault"
577
578
class EncryptionScopeState(str, Enum):
579
"""State of encryption scope."""
580
ENABLED = "Enabled"
581
DISABLED = "Disabled"
582
583
class PrivateEndpointServiceConnectionStatus(str, Enum):
584
"""Status of private endpoint connection."""
585
PENDING = "Pending"
586
APPROVED = "Approved"
587
REJECTED = "Rejected"
588
```