Open swt2c opened 5 years ago
zezha-msft
commented
5 years ago Hi @swt2c, thanks for reaching out!
Thanks a lot for offering to contribute, but we've established that such logics would not be part of the Storage SDK. In addition, I believe you could leverage components that are already written to authenticate with IMDS.
zezha-msft
commented
5 years ago @lmazuel any sample you could provide?
swt2c
commented
5 years ago I don't want to authenticate with IMDS, I just want to retrieve a token automatically from it. I already know how to do it, I just think that the library should support doing it automatically so the end user doesn't have to figure out and maintain that logic.
FYI - boto3 supports retrieving credentials from the IMDS. In fact, it does this automatically if you don't provide any credentials.
zezha-msft
commented
5 years ago Hi @swt2c, do you mean you wrote something similar to this sample?
Thanks for your feedback, I'll discuss it with the team.
swt2c
commented
5 years ago Yes, but as you suggested earlier, the msrestazure package can be used to do the same thing (and it already implements the recommended retry logic, etc.). It is probably worth noting in the documentation that users can get tokens from the IMDS just by doing the following:
import azure.storage.blob
from msrestazure.azure_active_directory import MSIAuthentication
bbs = azure.storage.blob.BlockBlobService(
account_name='xyz',
token_credential=MSIAuthentication(resource='https://storage.azure.com/'),
)I would have never found that msrestazure package on my own. It drags in some additional dependencies, but it is probably worth it.
Since it appears that Active Directory is the recommended way of controlling access to Azure Storage, it would be useful if azure-storage-python, when running on an Azure Virtual Machine, supported automatically retrieving access tokens from the Azure Instance Metadata Service (IMDS).
I'm willing to take a stab at implementing this functionality if it is something that would be accepted. The biggest question in my mind is - what would the API for enabling this mode look like in the constructor for, say, BaseBlobService.