Accessing Azure Storage via certificate based service principal credentials; azure.identity vs azure.common.credentials

Question

I have experimented trying to access Azure Blob Storage using service principal credentials through Python SDK & have some confusions I thought the community could help with.

#1 azure.common.credentials vs azure.identity-------------------------------------------------

I have noticed two different python packages in Azure having credential classes.

 - azure.common.credentials
 - azure.identity

What is the difference between the two, and when should one be used against other? More specifically, when attempting to work with Azure service principals,

• **azure.identity** provides both **ClientSecretCredential & CertificateCredential** so we can use either shared secret, or SSL certificate.

• **azure.common.credentials** package provides only the **ServicePrincipalCredentials** class that needs a shared secret, and there is no counterpart for working with certificate credentials.

Am I missing something? I am looking to use certificate based service principal.

#2 ServicePrincipalCredentials works, but ClientSecretCredential fails ------------------------------------------------

My test code to access Azure storage works successfully with ServicePrincipalCredentials class. But fails with ClientSecretCredential class with Exception message: 'ClientSecretCredential' object has no attribute 'signed_session'"

Appreciate any help with understanding why. There is no difference in the code apart from instantiating the credentials to be one of the two classes above.

The #2 issue above is important mainly because of #1. I am looking to use certificate based Auth, but can't find a supporting class under azure.common.credentials.

Python Environ details:

>python3 --version
Python 3.6.9

>pip3 freeze | grep -i azure
azure-common==1.1.25
azure-core==1.5.0
azure-identity==1.3.1
azure-mgmt-resource==9.0.0
azure-mgmt-storage==10.0.0
azure-storage-blob==12.3.1
msrestazure==0.6.3

snippets from my code:

# for credential classes
from azure.identity import ClientSecretCredential
from azure.identity import CertificateCredential

# for storage & other resource mgmt classes
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.storage import StorageManagementClient

tenant_id = params['tenant-id']
client_id = params['client-id']
client_secret = params['secret']
subscription_id = params['subscription-id']

creds = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)

# create resource group
resource_client = ResourceManagementClient(creds, subscription_id)

# create storage group, access keys etc
storage_client = StorageManagementClient(creds, subscription_id)

When attempting with certificate rather than secret, here is the code snippet for creating credential instance; rest of code is same.

    client_keycert_path = params['cert-path']
    creds = CertificateCredential(tenant_id =tenant_id, client_id = client_id, certificate_path = client_keycert_path)

Answer 1

The current situation is misleading, I admit, here's a few details as of today (monitor the situation here https://github.com/Azure/azure-sdk-for-python/issues/9310):

• For azure-storage-blob, azure.common is used for storage SDK <= 2.x, and azure-identity is used for storage SDK >= v12.x.
• For any package starting with azure-mgmt-xxx, azure-common is still the official way. Check this issue for workaround on how to write mgmt code that uses azure-identity (https://github.com/Azure/azure-sdk-for-python/issues/9310)

This will change SOON, by summer 2020 mgmt SDKs should support azure-identity out of the box.

Hope this helps, feel free to open an issue on Github too if there is further questions: https://github.com/Azure/azure-sdk-for-python/issues

(I work in the Azure SDK team at MS)