Authorization via Azure AD / RBAC

[ItalyPaleAle]

Using the SDK version v38.2.0, I cannot find a way to authorize the storage SDK using Azure AD.

I'd like to use Azure SDK for Go (not storage) and authorize access to other services using a service principal (via env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET). This doesn't seem to be possible using the Blob Storage SDK for Go, however.

I have found in the code the NewTokenCredential class which seems to be related, but I can't find any information on how to use it (if it's actually related)

[lukaszbudnik]

Agree, it would be nice if there was an option to use Authorizer just like the rest of the Azure SDK: https://github.com/Azure/azure-sdk-for-go#authentication

[tombuildsstuff]

@ItalyPaleAle @lukaszbudnik FWIW this SDK uses a different underlying transport mechanism to the regular Azure SDK for Go which is why these aren't compatible with the the SharedKey and the Bearer (AzureAD auth) Token Authorizer found in that package. I appreciate it's a little cheeky to cross-link here - but I think it's relevant to the problem at hand:

For various reasons we ended up implementing an alternate SDK for the Azure Storage API's (Giovanni) which uses the same underlying transport layer as the main Azure SDK for Go - including the SharedKey authorizer and the Bearer (AzureAD auth) Token Authorizer both of which work with the Storage API's and may be what you're looking for here?

Hope that helps!

[ItalyPaleAle]

Hey Tom, I tried your SDK but it didn't work for me. Aside from some issues getting started (the documentation isn't complete, and there was an issue with the sample code showing authentication), it was lacking some features I absolutely needed, such as the ability to download a file into a stream (io.Reader rather than a byte slice).

I was able to figure out how to use an Azure AD token with the official Storage SDK. As soon as I clean up the code I'll post a Gist and add a link here

[ItalyPaleAle]

Here's the Gist: https://gist.github.com/ItalyPaleAle/ec6498bfa81a96f9ca27a2da6f60a770

Hopefully it can help others

[tombuildsstuff]

@ItalyPaleAle cool, glad to hear you got this one working 👍

[lukaszbudnik]

good to know, quick question - does it work with MSI?

[guitmz]

@lukaszbudnik this works for MSI, just spent 2 hours trying to figure this out with a coworker.

func getAzureStorageCredentials() (azblob.Credential, error) {
    msiConfig := auth.NewMSIConfig()
    msiConfig.Resource = "https://storage.azure.com"

    azureServicePrincipalToken, err := msiConfig.ServicePrincipalToken()
    if err != nil {
        log.Fatal(err)
    }

    // Get a new token
    err = azureServicePrincipalToken.Refresh()
    if err != nil {
        log.Fatal(err)
    }
    token := azureServicePrincipalToken.Token()

    // Credential object
    credential := azblob.NewTokenCredential(token.AccessToken, nil)
    return credential, nil
}

[lukaszbudnik]

@guitmz that actually worked - thanks a million!