Is your feature request related to a problem? Please describe.
Current connector is not supporting managed identity or MSI when using the TransientStorage export option (only SAS or account keys are supported).
This is a problem since MS SFI guidelines requiring to disable access keys and use MSI instead.
using ";impersonate" in the SAS property let me use the system assigned managed identity to write the exported files into my storage account, but the reading from it is failing since there is no authentication key provided with the read request from the storage account.
Describe the solution you'd like
remove the SAS and access key property validation, let the user provide credentials, if nothing is being provided, use the default credentials with the ";impersonate" method to read and export from kusto and the same credentials to read the exported files from the provided storage account.
for example:
Since Kusto is supporting this kind of authentication, using the ";impersonate" keyword to pass the requestor's token or ";managed_identity=" to use a separate managed identity, the solution should use those in some way.
As described here
Describe alternatives you've considered
using User Delegated SAS Token with validity of up to 1hr is compliant with SFI requirements, but it is making the users code much more complex.
In Addition, supplying the ";impersonate" in the sas property didn't fully work.
Is your feature request related to a problem? Please describe. Current connector is not supporting managed identity or MSI when using the TransientStorage export option (only SAS or account keys are supported). This is a problem since MS SFI guidelines requiring to disable access keys and use MSI instead. using ";impersonate" in the SAS property let me use the system assigned managed identity to write the exported files into my storage account, but the reading from it is failing since there is no authentication key provided with the read request from the storage account.
Describe the solution you'd like remove the SAS and access key property validation, let the user provide credentials, if nothing is being provided, use the default credentials with the ";impersonate" method to read and export from kusto and the same credentials to read the exported files from the provided storage account. for example:
transientStorage = "{ \"storageCredentials\" : [ { \ \"storageAccountName\": \"1jdldsdke2etestcluster01\",\ \"blobContainer\": \"20221225-exportresults-0\",\ } ],"endpointSuffix" : "core.windows.net" }" ... option("transientStorage", transientStorage). \Since Kusto is supporting this kind of authentication, using the ";impersonate" keyword to pass the requestor's token or ";managed_identity=" to use a separate managed identity, the solution should use those in some way. As described here
Describe alternatives you've considered using User Delegated SAS Token with validity of up to 1hr is compliant with SFI requirements, but it is making the users code much more complex. In Addition, supplying the ";impersonate" in the sas property didn't fully work.