How do I authenticate a user against an Azure storage blob in python?

1
votes

I'm looking for a way to authenticate a user against an Azure blob container. The sample code (yep, newbie alert) works just fine, using an access key for the storage account, but that feels uncomfortably like giving away full control of the entire storage account to anyone who steals the credentials.

The auth sample (from https://azure.microsoft.com/en-us/resources/samples/storage-python-getting-started/) looks like this:

block_blob_service = BlockBlobService(account_name='<acc>', account_key='<key>')

I have a service user set up in Active Directory with a role in the storage account restricting its use of the blob container; it's intended to do nothing but write new items into one specific container.

I'd like to use that user's credentials in the python script so that if it leaks, there's no access to other storage resources. Is there a way to generate an access key based on a resource/id combination, or similar way to achieve that? I've been browsing the Azure Python API docs, but not making any headway.

Edit: I've made a little progress. I've created a service principal with appropriate IAM restrictions. That appears to log in successfully when I call this:

credentials = ServicePrincipalCredentials( client_id=<>, secret=<>, tenant=<>)
print(credentials)

Which gives me an object:

<msrestazure.azure_active_directory.ServicePrincipalCredentials object at 0x7f34f52668d0>

And an error if I give it incorrect credentials. So, great, I have a credentials object. Now what? I can't find a way to feed it into BlockBlobService.

1
pythonazureazure-active-directoryazure-storageazure-blob-storage
It’s been awhile since I’ve worked with Azure, but pretty sure you need to get account name / key from Azure portal... if it’s anything like AWS, you should be able to create “user” keys for apps / devs to access the storage programmatically (rather than have users access use the root key)openwonk
There's a user ID, but not a key that I can see. Not attached to it being an AD account; if I can create an container-specific key pair, that'd be great. But at the moment all I can do is grant access to the entire storage container, and I'm certain there must be a more granular way to control access than that!zaump
Hi,if you think my answer helps you,you could mark it as an answer.Thanks a lot!Jay Gong

1 Answers

6
votes

You could refer to this article to authenticate with Azure Active Directory from an application for access to blobs.

1.Register your application with an Azure AD tenant

2.Grant your registered app permissions to Azure Storage

3.Python code:

import adal
from azure.storage.blob import (
    BlockBlobService,
    ContainerPermissions,
)
from azure.storage.common import (
    TokenCredential
)

RESOURCE = "https://storage.azure.com/"
clientId = "***"
clientSecret = "***="
tenantId = "***"
authority_url = "https://login.microsoftonline.com/" + tenantId

print(authority_url)
context = adal.AuthenticationContext(authority_url)

token = context.acquire_token_with_client_credentials(
    RESOURCE,
    clientId,
    clientSecret)
print(token)

tokenCre = TokenCredential(token["accessToken"])

blobService = BlockBlobService(account_name="***", token_credential=tokenCre)

blobService.list_blobs(container_name="***")
for i in blobService.list_blobs(container_name="***"):
    print(i.properties.name)