authenticationcredentialsazure-data-lake-gen2azure-python-sdkaccess-keys

Azure storage account shared access key used in ChainedTokenCredential for client authentication in Python SDK?


I've managed to authenticate into my data lake in my storage account fro python using shared access key, but now I'm trying to chain together multiple authentication methods, namely the Managed Identity with the access key. However I couldn't find a solution for including the access key credential in the ChainedTokenCredential. Any idea or advice?

Using shared access key works:

service_client = DataLakeServiceClient(account_url, credential=account_key)

What setup shall I use to chain the access key credential into:

credential_chain = ChainedTokenCredential(ManagedIdentityCredential(),<access key credential>)
service_client = DataLakeServiceClient(account_url, credential=credential_chain)
service_client.get_service_properties() # to check the client authentication

so essentially I want to make this line work (the chaining with a single credential type):

credential_chain = ChainedTokenCredential(<access key credential>)


Solution

  • However, I couldn't find a solution for including the access key credential in the ChainedTokenCredential. Any idea or advice?

    No, it is not possible to use the access key credential in the ChainedTokenCredential.

    ChainedTokenCredential is designed to chain multiple token-based credentials like ManagedIdentityCredential, AzureCliCredential, and ClientSecretCredential. These credentials retrieve access tokens from Azure Active Directory, which are then used to authenticate with Azure services. Whereas access key credential is not a token-based credential; it uses a shared access key to authenticate with Azure services directly.

    You can use Managed Identity and Azure CLI with ChainedTokenCredential in code.

    Code:

    from azure.identity import ChainedTokenCredential, ManagedIdentityCredential, AzureCliCredential
    from azure.storage.filedatalake import DataLakeServiceClient
    
    account_url = "https://venkat123.dfs.core.windows.net"
    managed_identity = ManagedIdentityCredential()
    azure_cli = AzureCliCredential()
    credential_chain = ChainedTokenCredential(managed_identity, azure_cli)
    service_client = DataLakeServiceClient(account_url, credential=credential_chain)
    properties = service_client.get_service_properties()
    analytics_logging = properties['analytics_logging']
    print(analytics_logging)
    

    Output:

    {'version': '1.0', 'delete': False, 'read': False, 'write': False, 'retention_policy': <azure.storage.filedatalake._models.RetentionPolicy object at 0x000002F9BE87EE10>}
    

    enter image description here

    Reference: Azure Identity 301 - ChainedTokenCredential | Jon Gallant