Share via

How to use the DefaultAzureCredential to authenticate a ManageIdentitiy with CloudStorageAccount

Mohammad Abdulkarim Fneish 1 Reputation point
2021-10-30T21:51:24.163+00:00

Currently I'm using the following code to authenticate to the Azure Table Storage account using an account secrete: 

_CloudStorageAccount = new CloudStorageAccount(
                new StorageCredentials(azureStorageAccountName, azureStorageAccountKey), true);

Now I'm moving to authenticate using ManagedIdentity to the ATS service where I'm trying to use the DefaultAzureCredential class to do this but still cannot figure out how to use it with the CloudStorageAccount. Can you please help me with this?

Update: 

public DataStoreRepository(String azureStorageAccountName)
{
    string storageURI = string.Format("https://{0}.table.core.windows.net/",
                                                azureStorageAccountName);

    var azureServiceTokenProvider = new AzureServiceTokenProvider();

    // Get the initial access token and the interval at which to refresh it.
    var tokenAndFrequency = TokenRenewerAsync(azureServiceTokenProvider, CancellationToken.None).Result;

    // Create a TokenCredential which can be used to pass into the StorageCredentials constructor.
    var tokenCredential =
        new Microsoft.WindowsAzure.Storage.Auth.TokenCredential(tokenAndFrequency.Token,
                            TokenRenewerAsync,
                            azureServiceTokenProvider,
                            tokenAndFrequency.Frequency.Value);

    var storageCredentials = new StorageCredentials(tokenCredential);

    _CloudTableClient = new CloudTableClient(new Uri(storageURI), storageCredentials);
}


internal async Task<NewTokenAndFrequency> TokenRenewerAsync(Object state, CancellationToken cancellationToken)
{
    // Note: you can also specify the root URI for your storage account.
    const string STORAGE_RESOURCE = "https://storage.azure.com/";

    var authResult = new DefaultAzureCredential().GetToken(new TokenRequestContext(
    new[] { STORAGE_RESOURCE }));

    // Renew the token 5 minutes before it expires.
    var next = (authResult.ExpiresOn - DateTimeOffset.UtcNow) - TimeSpan.FromMinutes(5);
    if (next.Ticks < 0)
    {
        next = default(TimeSpan);
        Console.WriteLine("Renewing token...");
    }

    // Return the new token and the next refresh time.
    return new NewTokenAndFrequency(authResult.Token + "+", next);
}

I'm getting the token successfully with the above script but getting a Forbidden error message when trying to read data from ATS.

Regards

Azure Table Storage
Azure Table Storage
An Azure service that stores structured NoSQL data in the cloud.
181 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KalyanChanumolu-MSFT 8,351 Reputation points
    2021-10-31T06:56:02.907+00:00

    @Mohammad Abdulkarim Fneish Welcome to Microsoft Q&A forums.

    Support for Managed Identity authentication is not yet available for Table Storage.
    It is available on blobs and queues as of now.
    You should continue using the storageAccountKey.

    Since you are using the CloudStorageAccount class, I figured you are using the Microsoft.Azure.Storage.
    This is deprecated in favor of the new Azure.Data.Tables SDK.
    Support for Managed Identity will be added to the new SDK only, so I recommend switching to this SDK.

    Please let us know if you have any further questions.

    ----------

    Just checking in to see if the answer(s) helped.
    If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.