0

When working with AWS, if you use aws configure to log in, you can use the AWS SDK without exposing credentials in any programming language from your local machine. If anything is running inside aws later (Lambda, EC2, whatever) the exact same code does use the resource assigned IAM Role without any configuration.

I try to get the same to work with Azure, I thought that the Azure.Identity.DefaultAzureCredential does do this. But I can't even run my code locally:

            var blobServiceClient = new BlobServiceClient(storageUri, new DefaultAzureCredential());
            var containerClient = await blobServiceClient.CreateBlobContainerAsync("test-container");

How can I get a BlobServiceClient that authenticates using the CLI creds on my local machine, and a managed identity if running inside an AppService.

quadroid
  • 8,444
  • 6
  • 49
  • 82

1 Answers1

3

In your scenario, as you used, the DefaultAzureCredential is the best choice along with the BlobServiceClient, but it does not use CLI credentials to authenticate.

To make it work, just set the Environment variables with AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET of your service principal. In Azure, it uses the MSI to authenticate.

If you want to use CLI credentials to authenticate, there is AzureServiceTokenProvider, it can also access azure storage, but you could not use it along with BlobServiceClient, you need to get the access token with the resource https://storage.azure.com, 

var azureServiceTokenProvider2 = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider2.GetAccessTokenAsync("https://storage.azure.com").ConfigureAwait(false);

then use the access token to call Storge REST API, I think the first option is more convenient, to use which one, it is up to you.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks for the suggestion, I cannot get the AzureServiceTokenProvider to work with my managed identites, even if they work on my local machine. The access Token call always results in the following error: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"StatusCode":400,"Message":"No MSI found for specified ClientId/ResourceId.","CorrelationId":"5063fe91-5ee4-4685-ac01-731ad7a41abb"} – quadroid May 19 '20 at 15:41
  • @Console You used the system-assigned MSI or user-assigned MSI for your web app? Did you set the `AzureServicesAuthConnectionString` for your web app, for different scenarios, you need to set it with different values, follow https://learn.microsoft.com/en-us/azure/key-vault/general/service-to-service-authentication#connection-string-support – Joy Wang May 20 '20 at 01:11
  • 1
    @Console If you used the system-assigned MSI, you need to use `RunAs=App`, if you used the user-assigned MSI, you need to use `RunAs=App;AppId={ClientId of user-assigned identity}`. Also make sure the `Microsoft.Azure.Services.AppAuthentication` you used is the latest version. – Joy Wang May 20 '20 at 01:15