This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.35k
stars
2.71k
forks
source link
Scope of permissions to storage for Document Translation's Managed Identity #33942
The Managed Identities for Document Translation guide states that one has to assign a role of Storage Blob Data Contributor in a storage scope to the MI of the Translator service. It is quite a high-level permission, especially given the usecase of translating single files.
Since the mentioned usecase imples a whole flow of managing related blobs, it would be great for the DocumentTranslationClient's begin_translation() method to simply mimic the behavior of DocumentAnalysisClient's class begin_analyze_document() with its acceptance of files as IO[bytes].
Although I understand its purpose is to be more container-batch oriented, so to lower the access scope demand down to specific containers would be just as fine. Would you be willing to consider it?
Additionally, I think that the particulars regarding the permission scopes should be more visible in documentation :)
The Managed Identities for Document Translation guide states that one has to assign a role of Storage Blob Data Contributor in a storage scope to the MI of the Translator service. It is quite a high-level permission, especially given the usecase of translating single files.
Since the mentioned usecase imples a whole flow of managing related blobs, it would be great for the
DocumentTranslationClient
'sbegin_translation()
method to simply mimic the behavior ofDocumentAnalysisClient
's classbegin_analyze_document()
with its acceptance of files asIO[bytes]
.Although I understand its purpose is to be more container-batch oriented, so to lower the access scope demand down to specific containers would be just as fine. Would you be willing to consider it?
Additionally, I think that the particulars regarding the permission scopes should be more visible in documentation :)