Azure-storage-azcopy: Feature: Support for Service Principal Authentication

Created on 14 Jan 2019  路  8Comments  路  Source: Azure/azure-storage-azcopy

Hello,

Are there plans to add support for Service Principal authentication such that copy operations that interaction with ADLS gen2 could be automated securely without user login?

Thank you,
Ron

feature request
Source
picture rondefreitas
👍1

Most helpful comment

In essence, what @rdefreitas is looking for, is the equivalent of ;

Log in with a service principal using client secret.
    az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant
    contoso.onmicrosoft.com

But for azcopy... As azcopy currently only supports an interactive login or MSI. Though it could be that a system would need to login (non-interactively) from a system that does not support MSI.

picture kvaes on 14 Mar 2019
👍3

All 8 comments

Hi, @rdefreitas

Thanks for reaching us!

This is a good item can be considered to add, and for the requirement I wish to ask some questions.

As we know, Azure Storage supports authentication and authorization with Azure Active Directory (AD) for the Blob/Queue/ADAL gen2 services. And with Azure AD, you can use role-based access control (RBAC) to grant access to users, groups, or application service principals.

When working with application service principal, user/app typically need to firstly sign in with a service principal, here is an example in Azure CLI case.

So would you describe more about copy operations without user login?

Thanks,
Jiachen

jiacfan picture jiacfan on 15 Jan 2019

In essence, what @rdefreitas is looking for, is the equivalent of ;

Log in with a service principal using client secret.
    az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant
    contoso.onmicrosoft.com

But for azcopy... As azcopy currently only supports an interactive login or MSI. Though it could be that a system would need to login (non-interactively) from a system that does not support MSI.

kvaes picture kvaes on 14 Mar 2019
👍3

Thanks for the providing the feedback! This is a good feature to add, and we have created work item to further trace it.

jiacfan picture jiacfan on 15 Mar 2019

FYI this is actually in PR #332, at this point, we're just waiting on security approval.

adreed-msft picture adreed-msft on 2 May 2019

Hi there! This is very very important functional, i have some trouble for automate create storage gen2 datalake and seems only azcopy support this, no interactive login is require for automatic run script. When PR will be merged?

unfii picture unfii on 7 May 2019

@unfii We don't have a scheduled date yet. With it being security-related, there are some special review steps to go through, as per above. If you can't wait, there may be ways to do it from Powershell etc, using the REST API directly, but authentication and protection of secrets may be more complicated there.

JohnRusk picture JohnRusk on 8 May 2019

Thanks for adding this functionality. I'll keep on eye on when PR #383 is completed and we could start with our own build at that point.

rondefreitas picture rondefreitas on 21 May 2019

This has been released in version 10.2.1

JohnRusk picture JohnRusk on 10 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wahalulu picture wahalulu  路  3Comments
Dikkekip picture Dikkekip  路  5Comments
amishra-dev picture amishra-dev  路  5Comments
AMoghrabi picture AMoghrabi  路  5Comments
massive picture massive  路  3Comments