I am currently working on a copilot based web application. As part of the application, users are required to login using Azure Active Directory (AD). The application includes an azure function reading to blob storage.
Currently this azure function is authentication to blob storage using managed identity in python (using the azure.identity package and the defaultAzureCredential() method).
However, I want to change the authentication method for reading from blob storage to use a user specific token (OAuth2 token maybe?) instead of the managed identity. Struggling to find the right python package to use a token like this for blob storage as I can't see any info in the azure.identity documentation about something like this.
Is there a way to authenticate blob storage access in Python using an OAuth2 function?
Have tried so far using managed identity, or adding entra id on top of the azure function but this is too cumbersome as it requires extra login steps for users
EDIT: Adding function code here as requested (apologies if the formatting isn't right):
credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(
f"https://{account_name}.blob.core.windows.net", credential=credential
)
blob_client = blob_service_client.get_blob_client(
container=container_name, blob=blob_name
)
download_stream = BytesIO()
download_stream.write(blob_client.download_blob().readall())
download_stream.seek(0) # Reset the stream position
return func.HttpResponse(
download_stream.read(),
mimetype="application/pdf",
headers={"Content-Disposition": f"inline; filename={blob_name}"},
)
What I want to change here is the type of credential - I want to use an OAuth2 token/something similar and am not sure what I have to change in terms of reading from blob. Thank you!
Use InteractiveBrowserCredential
Instead of DefaultAzureCredential
method for each users authentication.
Below given code worked for me.
I am reading a text file.
function_app.py
:
from io import BytesIO
import azure.functions as func
from azure.identity import InteractiveBrowserCredential, DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
app = func.FunctionApp()
@app.route(route="http_trigger", auth_level=func.AuthLevel.ANONYMOUS, methods= ['get'])
def http_trigger(req: func.HttpRequest) -> func.HttpResponse:
account_name = "xxxxxxxxxxx"
container_name = "xxxxxxxxx"
blob_name = "upload.txt"
credential= InteractiveBrowserCredential()
blob_service_client = BlobServiceClient(
f"https://{account_name}.blob.core.windows.net", credential=credential
)
blob_client = blob_service_client.get_blob_client(
container=container_name, blob=blob_name
)
download_stream = BytesIO()
download_stream.write(blob_client.download_blob().readall())
download_stream.seek(0) # Reset the stream position
return func.HttpResponse(
download_stream.read(),
mimetype="text/plain",
headers={"Content-Disposition": f"inline; filename={blob_name}"},
)
OUTPUT
:User account authentication.
Authentication complete