search

MindFlavor / AzureSDKForRust

Microsoft Azure SDK for Rust
http://mindflavor.github.io/AzureSDKForRust
Apache License 2.0
160 stars 62 forks source link

Azure Service Principal #276

Closed cswinter closed 4 years ago

cswinter commented 4 years ago

Apologies if I didn't read the docs carefully enough, but is there a way to authenticate to Azure blobstore using a service principal?

MindFlavor commented 4 years ago

Unfortunately not at the moment. We will add it in the future though: it should be enough to pass the Authorization Bearer token received by AAD: https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory and ignore all the authorization code based on HMAC.

cswinter commented 4 years ago

Any idea when this might be available? If it's not too difficult to implement I could probably spend a day or two trying to get this to work, would need some pointers though.

MindFlavor commented 4 years ago

There is no fixed timeline, but as soon as I close #284 I will start working on this! The tracking PR is this one: https://github.com/MindFlavor/AzureSDKForRust/pull/287.

MindFlavor commented 4 years ago

Implemented in storage_core_0.44.0. I've only tested it with a couple of blob storage methods: if you find bugs please open another issue!

cswinter commented 4 years ago

Fantastic, will let you know if I run into any problems 🎉

cswinter commented 4 years ago

Actually one question: I have the app id, tenant id, password for a service principal and it looks like those should make it possible to obtain a bearer token from azure active directory but it's not super clear to me yet how to actually do that. Is this something supported by these crates, or do I need to use some other mechanism to obtain the bearer token?

MindFlavor commented 4 years ago

You can then spend this bearer token to create the Client and use it as usual. For example:

https://github.com/MindFlavor/AzureSDKForRust/blob/f746e3666da7dfdfbcc45d18534827a4565905e2/azure_sdk_storage_blob/examples/blob_02_bearer_token.rs#L26

The AAD workflows implemented right now are called interactive and non interactive (but the names are not aligned to the docs: they are auth-code-flow and client-creds-grant-flow, I will changed them in the future, see https://github.com/MindFlavor/AzureSDKForRust/issues/288).

You can try using this example to get a valid bearer token using client grant flow: azure_sdk_auth_aad/examples/non_interactive.rs, let me know if it helps!

cswinter commented 4 years ago

Got it that's just what I was looking for, thanks for all the help! I've run into another problem now, will open a new issue.