Support for managed identity in azure.storage.fileshare

[holwech]

Running the following:

from azure.storage.fileshare import ShareFileClient
from azure.identity import DefaultAzureCredential

file_client = ShareFileClient(
                        account_url=f"https://{storage_account}.file.core.windows.net/",
                        file_path=file_path,
                        credential=DefaultAzureCredential(),
                        share_name=share_name
                     )

Leads to the following error:

ValueError("Token credentials not supported by the File service.")

Default credentials in my case would be managed identity. It's not explicitly mentioned in the documentation (as far as I can see), but is managed identity not supported by this library? Will it be supported, and if so, when?

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

[xiafu-msft]

Hi @holwech
Thanks for reporting this. We will discuss this and get back to you!

[bec-zt8]

what is the status of this issue?

[amishra-dev]

The service does not have the support for this yet. We will add it to the SDK as soon as the service adds support. We do not have the ETA for the service support

[pdworzynski]

Hi,

Is there an update on this? For example, documentation suggests that this approach should work e.g.

from azure.storage.fileshare import ShareServiceClient

service = ShareServiceClient(account_url="https://<my-storage-account-name>.file.core.windows.net/", credential=credential)

However, using azure-storage-file-share 12.5.0 with a service principal token i'm getting the same error.

ValueError("Token credentials not supported by the File service.") 

Can you recommend any workarounds?

Thanks!

[jvschoen]

Any update on this? what is the best approach to connecting to file service through python SDK?

[jalauzon-msft]

Hi all, apologies for the long delay with no update but we've essentially been waiting for the service to add support for AAD auth to the Files service. I'm happy to report the service team is finally working on adding this support and we should soon be able to support this in the SDK. I don't have yet have a concrete timeline but hopefully it will be coming within the next couple of releases.

Thanks for your patience. I will update here once the feature has been added.

[david-msft]

Hi all, apologies for the long delay with no update but we've essentially been waiting for the service to add support for AAD auth to the Files service. I'm happy to report the service team is finally working on adding this support and we should soon be able to support this in the SDK. I don't have yet have a concrete timeline but hopefully it will be coming within the next couple of releases.

Thanks for your patience. I will update here once the feature has been added.

is this going to be in .net SDK as well?

[jalauzon-msft]

@david-msft, yes, the plan is for the to be added to the .NET SDK as well once its available from the service. Still no ETA on it but this feature in.NET should be released at the same as Python.

[diti-nz]

Hi Team, Any update on this?

[paul-cleverley]

what @diti-nz said...?

[jalauzon-msft]

Hi all, I'm happy to announce that support for Files OAuth / Managed identities has been released in our latest preview release, 12.12.0b1! Please see this sample for example use.

Please note there some caveats with the implementation that are specific to the Files SDK and come from the service (out of the client's control).

• Only File, Directory, and a small handful of Share level operations are supported for use with OAuth in the data plane SDK (azure-storage-file-share). For all other operations that need to be used with OAuth, it is recommended to use the control plane SDKs.
• In the current implementation you must provide the token_intent keyword (see sample) with the only possible value being backup today. This certifies your intent to use the readFileBackupSemantics and/or writeFileBackupSemantics RBAC permissions that allow you to bypass File ACLs when using OAuth. This is currently the only supported scenario for OAuth in the Files service.

Please feel free to try out the preview release and provide any feedback. This will tentatively be released in our next full release within the next few weeks (may change though). Since it is currently in preview, it is subject to change before the full release though. Thanks for your patience!

[jalauzon-msft]

This has been fully released in version 12.12.0.