DefaultAzureCredential Authentication Order
Opened this issue · 2 comments
Background:
During integration testing, errors came up from "integration_blob_common.py" concerning blob permissions:
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.
The current documentation recommends using the command "az login" (az cli) to prevent this issue, but after multiple tries, it was discovered the test was using the "Managed Identity", which didn't have any permissions to the Storage Account. From reviewing the documentation, the behavior is consistent with the order defined here.
Workaround:
As part of our test, we found out that granting the VM (managed identity) access to the Storage account and the Keyvault allowed the integration tests to pass and finish.
Next steps:
The development group needs to issue a recommendation on credentials. Most of the content mentions "az cli" , but given that we have also asked them to assign a managed identity during the VM creation (picture below), the auth order will not allow the "Az cli" credentials to take effect.
On the other hand, we can include additional comments to remind the user to grant access to the Manage Identity, and delete references to "az cli"
Hi @geperezg , thank you for providing such great detail. We will update our docs to include your recommendation.
I think we already addressed this when we split the blob tutorial into two separate ones for managed ID and az cli, see https://github.com/microsoft/gr-azure/blob/main/examples/blob_managed_id_quickstart.md?plain=1#L57