pythonazure-functionsazure-blob-storageazure-identity

How can I authenticate access to blob storage in Python using an OAuth2 token?


I am currently working on a copilot based web application. As part of the application, users are required to login using Azure Active Directory (AD). The application includes an azure function reading to blob storage.

Currently this azure function is authentication to blob storage using managed identity in python (using the azure.identity package and the defaultAzureCredential() method).

However, I want to change the authentication method for reading from blob storage to use a user specific token (OAuth2 token maybe?) instead of the managed identity. Struggling to find the right python package to use a token like this for blob storage as I can't see any info in the azure.identity documentation about something like this.

Is there a way to authenticate blob storage access in Python using an OAuth2 function?

Have tried so far using managed identity, or adding entra id on top of the azure function but this is too cumbersome as it requires extra login steps for users

EDIT: Adding function code here as requested (apologies if the formatting isn't right):

    credential = DefaultAzureCredential()

    blob_service_client = BlobServiceClient(
        f"https://{account_name}.blob.core.windows.net", credential=credential
    )

    blob_client = blob_service_client.get_blob_client(
        container=container_name, blob=blob_name
    )

    download_stream = BytesIO()
    download_stream.write(blob_client.download_blob().readall())
    download_stream.seek(0)  # Reset the stream position

    return func.HttpResponse(
        download_stream.read(),
        mimetype="application/pdf",
        headers={"Content-Disposition": f"inline; filename={blob_name}"},
    )

What I want to change here is the type of credential - I want to use an OAuth2 token/something similar and am not sure what I have to change in terms of reading from blob. Thank you!


Solution

  • Use InteractiveBrowserCredential Instead of DefaultAzureCredential method for each users authentication.

    Below given code worked for me.

    I am reading a text file.

    function_app.py:

    from io import BytesIO
    import azure.functions as func
    from azure.identity import InteractiveBrowserCredential, DefaultAzureCredential
    from azure.storage.blob import BlobServiceClient
    
    app = func.FunctionApp()
    
    
    
    @app.route(route="http_trigger", auth_level=func.AuthLevel.ANONYMOUS, methods= ['get'])
    def http_trigger(req: func.HttpRequest) -> func.HttpResponse:
        
        account_name = "xxxxxxxxxxx"
        container_name = "xxxxxxxxx"
        blob_name = "upload.txt"
        
    
        credential= InteractiveBrowserCredential()
    
        blob_service_client = BlobServiceClient(
            f"https://{account_name}.blob.core.windows.net", credential=credential
        )
    
        blob_client = blob_service_client.get_blob_client(
            container=container_name, blob=blob_name
        )
    
        download_stream = BytesIO()
        download_stream.write(blob_client.download_blob().readall())
        download_stream.seek(0)  # Reset the stream position
    
        return func.HttpResponse(
            download_stream.read(),
            mimetype="text/plain",
            headers={"Content-Disposition": f"inline; filename={blob_name}"},
        )
    

    OUTPUT:

    User account authentication.

    Authentication complete