question

MohammadAbdulkarimFneish-9290 avatar image
0 Votes"
MohammadAbdulkarimFneish-9290 asked KalyanChanumolu-MSFT commented

How to use the DefaultAzureCredential to authenticate a ManageIdentitiy with CloudStorageAccount

Currently I'm using the following code to authenticate to the Azure Table Storage account using an account secrete:

 _CloudStorageAccount = new CloudStorageAccount(
                 new StorageCredentials(azureStorageAccountName, azureStorageAccountKey), true);

Now I'm moving to authenticate using ManagedIdentity to the ATS service where I'm trying to use the DefaultAzureCredential class to do this but still cannot figure out how to use it with the CloudStorageAccount. Can you please help me with this?

Update:

 public DataStoreRepository(String azureStorageAccountName)
 {
     string storageURI = string.Format("https://{0}.table.core.windows.net/",
                                                 azureStorageAccountName);

     var azureServiceTokenProvider = new AzureServiceTokenProvider();

     // Get the initial access token and the interval at which to refresh it.
     var tokenAndFrequency = TokenRenewerAsync(azureServiceTokenProvider, CancellationToken.None).Result;

     // Create a TokenCredential which can be used to pass into the StorageCredentials constructor.
     var tokenCredential =
         new Microsoft.WindowsAzure.Storage.Auth.TokenCredential(tokenAndFrequency.Token,
                             TokenRenewerAsync,
                             azureServiceTokenProvider,
                             tokenAndFrequency.Frequency.Value);

     var storageCredentials = new StorageCredentials(tokenCredential);

     _CloudTableClient = new CloudTableClient(new Uri(storageURI), storageCredentials);
 }


 internal async Task<NewTokenAndFrequency> TokenRenewerAsync(Object state, CancellationToken cancellationToken)
 {
     // Note: you can also specify the root URI for your storage account.
     const string STORAGE_RESOURCE = "https://storage.azure.com/";

     var authResult = new DefaultAzureCredential().GetToken(new TokenRequestContext(
     new[] { STORAGE_RESOURCE }));

     // Renew the token 5 minutes before it expires.
     var next = (authResult.ExpiresOn - DateTimeOffset.UtcNow) - TimeSpan.FromMinutes(5);
     if (next.Ticks < 0)
     {
         next = default(TimeSpan);
         Console.WriteLine("Renewing token...");
     }

     // Return the new token and the next refresh time.
     return new NewTokenAndFrequency(authResult.Token + "+", next);
 }

I'm getting the token successfully with the above script but getting a Forbidden error message when trying to read data from ATS.

Regards


azure-managed-identityazure-table-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KalyanChanumolu-MSFT avatar image
0 Votes"
KalyanChanumolu-MSFT answered KalyanChanumolu-MSFT commented

@MohammadAbdulkarimFneish-9290 Welcome to Microsoft Q&A forums.

Support for Managed Identity authentication is not yet available for Table Storage.
It is available on blobs and queues as of now.
You should continue using the storageAccountKey.

Since you are using the CloudStorageAccount class, I figured you are using the Microsoft.Azure.Storage.
This is deprecated in favor of the new Azure.Data.Tables SDK.
Support for Managed Identity will be added to the new SDK only, so I recommend switching to this SDK.

Please let us know if you have any further questions.


Just checking in to see if the answer(s) helped.
If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @KalyanChanumolu-MSFT, I see your point but on this page Microsoft says that it is now available but in preview and I'm ok with that. So Is it available or not? I'm confused now!


0 Votes 0 ·
KalyanChanumolu-MSFT avatar image KalyanChanumolu-MSFT MohammadAbdulkarimFneish-9290 ·

@MohammadAbdulkarimFneish-9290 RBAC support for Azure Tables in currently in preview.
You can start using RBAC for access management from the Azure portal.

However, support for this feature needs to be implemented in the SDK before you can start using it for authentication.
This will usually happen once the feature graduates to public preview or released to production.

I hope this clarifies. Please let know if you have any further questions.


If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.

0 Votes 0 ·