Use Azure CLI for resource lock operations on Azure Cosmos DB for Table tables

APPLIES TO: Table

The script in this article demonstrates performing resource lock operations for an API for Table table.

Important

To enable resource locking, the Azure Cosmos DB account must have the disableKeyBasedMetadataWriteAccess property enabled. This property prevents any changes to resources from clients that connect via account keys, such as the Azure Cosmos DB Table SDK, Azure Storage Table SDK, or Azure portal. For more information, see Preventing changes from SDKs.

Prerequisites

  • You need an Azure Cosmos DB for Table account, database, and table created. If you don't have an Azure trail subscription, create a trial subscription before you begin.

    Important

    To create or delete resource locks, you must have the Owner role in your Azure subscription.

  • This script requires Azure CLI version 2.12.1 or later.

    Note

    Before you can use Azure CLI in Microsoft Azure operated by 21Vianet, please run az cloud set -n AzureChinaCloud first to change the cloud environment. If you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud again.

    You can use az account set to sign in with a different subscription, replacing <subscriptionId> with your Azure subscription ID.

    subscription="<subscriptionId>" # add subscription here
    
    az account set -s $subscription # ...or use 'az login'
    

Sample script

The following script uses Azure CLI az lock commands to manipulate resource locks on your Azure Cosmos DB for Table table. The script needs the resourceGroup, account name, and table name for the Azure Cosmos DB account and table you created.

  • az lock create creates a CanNotDelete resource lock on the table.
  • az lock list lists all the lock information for your Azure Cosmos DB Table account.
  • az lock delete uses az lock show to get the id of the lock on your table, and then uses the lockid property to delete the lock.
# Resource lock operations for a Table API table

# Subscription owner permissions required for this script

# Run this script after running
# "https://docs.azure.cn/cosmos-db/scripts/cli/table/create#sample-script"

# Variable block
# Use values from prerequisite script or from your environment
# resourceGroup="your resource group name"
# account="your account name"
# table="your table name"

lockType='CanNotDelete' # CanNotDelete or ReadOnly
tableParent="databaseAccounts/$account"
tableResourceType="Microsoft.DocumentDB/tables"
tableLock='$table-Lock'

# Create a delete lock on table
echo "Creating $lockType lock on $table"
az lock create --name $tableLock --resource-group $resourceGroup --resource-type $tableResourceType --lock-type $lockType --parent $tableParent --resource $table 

# List all locks on a Cosmos account
echo "Listing locks on $account"
az lock list --resource-group $resourceGroup --resource-name $account --namespace Microsoft.DocumentDB --resource-type databaseAccounts

# Delete lock on table
echo "Deleting $tableLock on $table"
lockid=$(az lock show --name $tableLock --resource-group $resourceGroup --resource-type $tableResourceType --resource $table --parent $tableParent --output tsv --query id)
az lock delete --ids $lockid
# </FullScript>

# echo "Deleting all resources"
# az group delete --name $resourceGroup -y

Clean up resources

If you no longer need the resources you created, use the az group delete command to delete the resource group and all resources it contains. These resources include the Azure Cosmos DB account and table. The resources might take a while to delete.

az group delete --name $resourceGroup

Next steps