From 11febf1a5dc3f134b3684e9a3fb5af959c00e455 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Fri, 22 Mar 2024 16:43:35 +1100 Subject: [PATCH 1/5] Add some information on how to use Managed Identity for Django and Azure --- docs/backends/azure.rst | 50 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/docs/backends/azure.rst b/docs/backends/azure.rst index 58ba92e2..6dcdaa84 100644 --- a/docs/backends/azure.rst +++ b/docs/backends/azure.rst @@ -46,11 +46,53 @@ Authentication Settings Several different methods of authentication are provided. In order of precedence they are: -#. ``connection_string`` or ``AZURE_CONNECTION_STRING`` (see `Connection string docs `_) +#. ``connection_string`` or ``AZURE_CONNECTION_STRING`` (see `Connection string docs `_) #. (``account_key`` or ``AZURE_ACCOUNT_KEY``) and (``account_name`` or ``AZURE_ACCOUNT_NAME``) #. ``token_credential`` or ``AZURE_TOKEN_CREDENTIAL`` #. ``sas_token`` or ``AZURE_SAS_TOKEN`` +Using Managed Identity +++++++++++++++++++++++ + +`Azure Managed Identity `_ is an authentication method that allows you to authenticate to Azure services without storing credentials in your code. +Managed Identity is the recommended mechanism for password-less authentication to Azure Storage Accounts from other Azure services like App Services, Functions, Container Apps, and VMs. + +To use Managed Identity you will need to configure a System Assigned Managed Identity or a User Assigned Managed Identity for your app service. Then you can use the ``DefaultAzureCredential`` class from the Azure SDK to authenticate. +This class will automatically try all the available authentication methods in the order of precedence. ``DefaultAzureCredential`` will also use environment variables for local development, or VS Code Azure Login if available. + +This `guide `_ contains more information on assigning roles to Storage Accounts. + +Before using Managed Identity, you will need to install the Azure Identity package:: + + pip install azure-identity + +After creating the containers in the Azure Storage Account, you can configure Managed Identity in Django settings. +Import ``DefaultAzureCredential`` from ``azure.identity`` to use it for the ``token_credential`` property: + + from azure.identity import DefaultAzureCredential + + ... + + STORAGES = { + "default": { + "BACKEND": "storages.backends.azure_storage.AzureStorage", + "OPTIONS": { + "token_credential": DefaultAzureCredential(), + "account_name": "mystorageaccountname", + "azure_container": "media", + }, + }, + "staticfiles": { + "BACKEND": "storages.backends.azure_storage.AzureStorage", + "OPTIONS": { + "token_credential": DefaultAzureCredential(), + "account_name": "mystorageaccountname", + "azure_container": "static", + }, + }, + } + + Settings ~~~~~~~~ @@ -145,8 +187,8 @@ Settings Default: ``None`` - The api version to use. - + The Azure Storage API version to use. Default value is the most recent service version that is compatible with the current SDK. + Setting to an older version may result in reduced feature compatibility. Additional Notes ---------------- @@ -167,7 +209,7 @@ The difference between public and private URLs is that private includes the SAS With private URLs you can override certain properties stored for the blob by specifying query parameters as part of the shared access signature. These properties include the cache-control, content-type, content-encoding, content-language, and content-disposition. -See https://docs.microsoft.com/en-us/rest/api/storageservices/set-blob-properties#remarks +See https://docs.microsoft.com/rest/api/storageservices/set-blob-properties#remarks You can specify these parameters by:: From fab978071aced27f2d72044a7f7cc40d2178a579 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Fri, 22 Mar 2024 16:44:09 +1100 Subject: [PATCH 2/5] You need the account name as well --- docs/backends/azure.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/backends/azure.rst b/docs/backends/azure.rst index 6dcdaa84..2b3c9b35 100644 --- a/docs/backends/azure.rst +++ b/docs/backends/azure.rst @@ -48,7 +48,7 @@ Several different methods of authentication are provided. In order of precedence #. ``connection_string`` or ``AZURE_CONNECTION_STRING`` (see `Connection string docs `_) #. (``account_key`` or ``AZURE_ACCOUNT_KEY``) and (``account_name`` or ``AZURE_ACCOUNT_NAME``) -#. ``token_credential`` or ``AZURE_TOKEN_CREDENTIAL`` +#. ``token_credential`` or ``AZURE_TOKEN_CREDENTIAL`` with ``account_name`` or ``AZURE_ACCOUNT_NAME`` #. ``sas_token`` or ``AZURE_SAS_TOKEN`` Using Managed Identity From edc55ce1c64f5e9058a81adacc88a412b29950e6 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Fri, 22 Mar 2024 18:42:37 +1100 Subject: [PATCH 3/5] Update azure.rst --- docs/backends/azure.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/backends/azure.rst b/docs/backends/azure.rst index 2b3c9b35..c7bfa53d 100644 --- a/docs/backends/azure.rst +++ b/docs/backends/azure.rst @@ -57,7 +57,7 @@ Using Managed Identity `Azure Managed Identity `_ is an authentication method that allows you to authenticate to Azure services without storing credentials in your code. Managed Identity is the recommended mechanism for password-less authentication to Azure Storage Accounts from other Azure services like App Services, Functions, Container Apps, and VMs. -To use Managed Identity you will need to configure a System Assigned Managed Identity or a User Assigned Managed Identity for your app service. Then you can use the ``DefaultAzureCredential`` class from the Azure SDK to authenticate. +To use Managed Identity you will need to configure a System Assigned Managed Identity or a User Assigned Managed Identity for your app service. Then you can use the `DefaultAzureCredential `_ contains more information on assigning roles to Storage Accounts. @@ -92,6 +92,7 @@ Import ``DefaultAzureCredential`` from ``azure.identity`` to use it for the ``to }, } +For `User assigned Managed Identity `_, pass the client ID parameter to the DefaultAzureCredential call. Settings ~~~~~~~~ From 15a26b5a155db52bb4fff21b47e96769a8bf2669 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Fri, 22 Mar 2024 18:43:27 +1100 Subject: [PATCH 4/5] Update azure.rst --- docs/backends/azure.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/backends/azure.rst b/docs/backends/azure.rst index c7bfa53d..ea4d8f89 100644 --- a/docs/backends/azure.rst +++ b/docs/backends/azure.rst @@ -57,7 +57,7 @@ Using Managed Identity `Azure Managed Identity `_ is an authentication method that allows you to authenticate to Azure services without storing credentials in your code. Managed Identity is the recommended mechanism for password-less authentication to Azure Storage Accounts from other Azure services like App Services, Functions, Container Apps, and VMs. -To use Managed Identity you will need to configure a System Assigned Managed Identity or a User Assigned Managed Identity for your app service. Then you can use the `DefaultAzureCredential `_ class from the Azure SDK to authenticate. This class will automatically try all the available authentication methods in the order of precedence. ``DefaultAzureCredential`` will also use environment variables for local development, or VS Code Azure Login if available. This `guide `_ contains more information on assigning roles to Storage Accounts. From 2d099cf4068c7c7e6ef3f1bfef4b8e0dc4005a27 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 27 Mar 2024 06:39:08 +1100 Subject: [PATCH 5/5] Update doc to format config correctly --- docs/backends/azure.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/backends/azure.rst b/docs/backends/azure.rst index 21a29d95..20c94399 100644 --- a/docs/backends/azure.rst +++ b/docs/backends/azure.rst @@ -67,7 +67,8 @@ Before using Managed Identity, you will need to install the Azure Identity packa pip install azure-identity After creating the containers in the Azure Storage Account, you can configure Managed Identity in Django settings. -Import ``DefaultAzureCredential`` from ``azure.identity`` to use it for the ``token_credential`` property: +Import ``DefaultAzureCredential`` from ``azure.identity`` to use it for the ``token_credential`` property:: + from azure.identity import DefaultAzureCredential