Azure Storage Blobs client library for Python

Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data, such as text or binary data.

Blob storage is ideal for:

• Serving images or documents directly to a browser
• Storing files for distributed access
• Streaming video and audio
• Storing data for backup and restore, disaster recovery, and archiving
• Storing data for analysis by an on-premises or Azure-hosted service

Source code | Package (PyPI) | Package (Conda) | API reference documentation | Product documentation | Samples

Getting started

Prerequisites

• Python 3.9 or later is required to use this package. For more details, please read our page on Azure SDK for Python version support policy.
• You must have an Azure subscription and an Azure storage account to use this package.

Install the package

Install the Azure Storage Blobs client library for Python with pip:

pip install azure-storage-blob

Create a storage account

If you wish to create a new storage account, you can use the Azure Portal, Azure PowerShell, or Azure CLI:

# Create a new resource group to hold the storage account -
# if using an existing resource group, skip this step
az group create --name my-resource-group --location westus2

# Create the storage account
az storage account create -n my-storage-account-name -g my-resource-group

Create the client

The Azure Storage Blobs client library for Python allows you to interact with three types of resources: the storage account itself, blob storage containers, and blobs. Interaction with these resources starts with an instance of a client. To create a client object, you will need the storage account's blob service account URL and a credential that allows you to access the storage account:

from azure.storage.blob import BlobServiceClient

service = BlobServiceClient(account_url="https://<my-storage-account-name>.blob.core.windows.net/", credential=credential)

Looking up the account URL

You can find the storage account's blob service URL using the Azure Portal, Azure PowerShell, or Azure CLI:

# Get the blob service account url for the storage account
az storage account show -n my-storage-account-name -g my-resource-group --query "primaryEndpoints.blob"

Types of credentials

The credential parameter may be provided in a number of different forms, depending on the type of authorization you wish to use:

1. To use an Azure Active Directory (AAD) token credential, provide an instance of the desired credential type obtained from the azure-identity library. For example, DefaultAzureCredential can be used to authenticate the client.

   This requires some initial setup:

   • Install azure-identity
   • Register a new AAD application and give permissions to access Azure Storage
   • Grant access to Azure Blob data with RBAC in the Azure Portal
   • Set the values of the client ID, tenant ID, and client secret of the AAD application as environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET

   Use the returned token credential to authenticate the client:

   from azure.identity import DefaultAzureCredential
   from azure.storage.blob import BlobServiceClient
   token_credential = DefaultAzureCredential()
   
   blob_service_client = BlobServiceClient(
       account_url="https://<my_account_name>.blob.core.windows.net",
       credential=token_credential
   )
   

2. To use a shared access signature (SAS) token, provide the token as a string. If your account URL includes the SAS token, omit the credential parameter. You can generate a SAS token from the Azure Portal under "Shared access signature" or use one of the generate_sas() functions to create a sas token for the storage account, container, or blob:

   from datetime import datetime, timedelta
   from azure.storage.blob import BlobServiceClient, generate_account_sas, ResourceTypes, AccountSasPermissions
   
   sas_token = generate_account_sas(
       account_name="<storage-account-name>",
       account_key="<account-access-key>",
       resource_types=ResourceTypes(service=True),
       permission=AccountSasPermissions(read=True),
       expiry=datetime.utcnow() + timedelta(hours=1)
   )
   
   blob_service_client = BlobServiceClient(account_url="https://<my_account_name>.blob.core.windows.net", credential=sas_token)
   

3. To use a storage account shared key (aka account key or access key), provide the key as a string. This can be found in the Azure Portal under the "Access Keys" section or by running the following Azure CLI command:

   az storage account keys list -g MyResourceGroup -n MyStorageAccount

   Use the key as the credential parameter to authenticate the client:

   from azure.storage.blob import BlobServiceClient
   service = BlobServiceClient(account_url="https://<my_account_name>.blob.core.windows.net", credential="<account_access_key>")
   

   If you are using customized url (which means the url is not in this format <my_account_name>.blob.core.windows.net), please instantiate the client using the credential below:

   from azure.storage.blob import BlobServiceClient
   service = BlobServiceClient(account_url="https://<my_account_name>.blob.core.windows.net", 
      credential={"account_name": "<your_account_name>", "account_key":"<account_access_key>"})
   

4. To use anonymous public read access, simply omit the credential parameter.

Creating the client from a connection string

Depending on your use case and authorization method, you may prefer to initialize a client instance with a storage connection string instead of providing the account URL and credential separately. To do this, pass the storage connection string to the client's from_connection_string class method:

from azure.storage.blob import BlobServiceClient

connection_string = "DefaultEndpointsProtocol=https;AccountName=xxxx;AccountKey=xxxx;EndpointSuffix=core.windows.net"
service = BlobServiceClient.from_connection_string(conn_str=connection_string)

The connection string to your storage account can be found in the Azure Portal under the "Access Keys" section or by running the following CLI command:

az storage account show-connection-string -g MyResourceGroup -n MyStorageAccount

Key concepts

The following components make up the Azure Blob Service:

• The storage account itself
• A container within the storage account
• A blob within a container

The Azure Storage Blobs client library for Python allows you to interact with each of these components through the use of a dedicated client object.

Clients

Four different clients are provided to interact with the various components of the Blob Service:

1. BlobServiceClient - this client represents interaction with the Azure storage account itself, and allows you to acquire preconfigured client instances to access the containers and blobs within. It provides operations to retrieve and configure the account properties as well as list, create, and delete containers within the account. To perform operations on a specific container or blob, retrieve a client using the get_container_client or get_blob_client methods.
2. ContainerClient - this client represents interaction with a specific container (which need not exist yet), and allows you to acquire preconfigured client instances to access the blobs within. It provides operations to create, delete, or configure a container and includes operations to list, upload, and del