-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use AzureIdentity SDK or MSAL instead of ADAL #1907
Comments
With ADAL being deprecated on June 2023, @zezha-msft how do you plan to migrate to MSAL or AzureIdentity library ? |
Hi @jbpaux The plan is to migrate azcopy to the new Azure Identity library https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/azidentity This is work we have scheduled and will get to it soon. |
Perfect @gapra-msft please target 1.3.0+ as it support Workload Identity 😉 |
Hi @gapra-msft Do you have any updates on this issue? It would be helpful if you could comment on the ETA if you have one. |
Hi, we are currently blocked on the MSAL and Azure Identity SDKs until they add support for token cache persistence. Azure/azure-sdk-for-go#16643 We have almost completed the bulk of the work on our end to upgrade, we are just waiting on this support. |
@gapra-msft , will it be possible after migrating to MSAL and Azure Identity SDk to share a token cache with other applications? In my use case, a long-running service application already uses MSAL to obtain a valid token. Occasionally, azcopy is called to perform actions. At the moment, this requires re-authenticating in the azcopy child process due to the opaque token cache persistance, or abusing $env:AZCOPY_OAUTH_TOKEN_INFO. |
Hi @maikschulze I would recommend you create a new Github issue describing the details of the scenario you are interested in. Then, the team will internally discuss this and get back to you on our thoughts. |
I got tired of waiting on this, as its a massive blocker for our usecases, and only gets worse as time marches forward. So, for those of you in the same position we're in, I patched in azidentity 1.3.0 to replace the MSI implementation for ADAL, which works in our initial testing. https://github.com/Azure/azure-storage-azcopy/compare/main...randywallace:azure-storage-azcopy:add-default-azure-credential-msal?expand=1 . I'm not opening a PR, b/c I'm all but certain the implementation is not sustainably mergeable, but for those that need this, here it is, until this issue is resolved. |
I am running into this issue also so hope it gets fixed soon. In the meantime, for us, we used the PowerShell module as a workaround. It can't replace all the use cases/functionality of azcopy, but for basic blob upload/download use cases it works perfectly with Workload Identity. |
It seems to be available in next version |
Hi, yes we have upgraded most of the OAuth logic to the new azure identity SDK, with the exception of device code credential, as of 10.21.0 Closing this issue as this has been addressed in a recent release. |
Hi @gapra-msft, Related issue: #2112 |
Hi @gapra-msft |
To use workload identity, you can login via AzCLI login and then set azcopy's auto login environment variable to AZCLI |
Here are the official public docs https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-authorize-azure-active-directory#authorize-with-azure-cli Closing as AzCLI and Powershell login is the mitigation for this item. |
so for docker images the workaround is to install a second cli which doubles the image size to solve this issue? |
Which version of the AzCopy was used?
V10.16.0
Which platform are you using? (ex: Windows, Mac, Linux)
Linux
What command did you run?
I'm trying to use
azcopy
with Azure AD Workload Identity without using Workload Identity's proxy sidecar. The proxy sidecar is used to intercept token requests to IMDS and acquire an AAD token on behalf of the user with federated identity credential. Unfortunately, our use case requires runningazcopy
in a k8s init-container therefore we can't rely on the proxy sidecar.Based on this comment if a project uses the AzureIdentity SDK or MSAL then there is no need for the proxy sidecar. However, it seems
azcopy
is using ADAL, which is both deprecated and preventsazcopy
to be used in an init-container.The command below only works in conjunction with a proxy sidecar:
azcopy login --identity --identity-client-id < client ID of a managed identity >
What problem was encountered?
Not using Azure AD Workload Identity's proxy sidecar will make
azcopy
fail to acquire a token.How can we reproduce the problem in the simplest way?
Have you found a mitigation/solution?
No
The text was updated successfully, but these errors were encountered: