Azure Question posted in
The official documentation to get you started can be found here.

Can a desktop application use federated identity credentials to connect to Azure Blob Storage?

I have a desktop application that needs to connect to Azure Blob Storage.
Since it is not running on Azure, using managed identity is not an option.
I wanted to check the feasibility of using federated identity credentials to connect to Azure Blob Storage from the desktop application.

It would be helpful if I can get some steps or some sample code which I can use to check the feasibility.
Also, is there any other better way to achieve the above mentioned scenario without using connection strings or SAS tokens?

Tags:

2

Answers


  1. 0

    Is there any other better way to achieve the above-mentioned scenario without using connection strings or SAS tokens?

    You can use the ClientSecretCredential to authenticate Azure Blob Storage without a SAS token and connection string.

    First, create an app registration in the portal and fetch the client ID, tenant ID, and client secret from the app. Assign the Storage Blob Data Contributor role to the storage account to access Azure Blob Storage.

    Here is the code to get the list of blob names with ClientSecretCredential using .NET.

    Code:

    using Azure.Identity;
using Azure.Storage.Blobs;

namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {

            string tenantId = "your-tenant-id";
            string clientId = "your-client-id";
            string clientSecret = "your-client-secret";
            string accountName = "your-account-name";
            string containerName = "your-container-name";
            var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
            var blobServiceClient = new BlobServiceClient(new Uri($"https://{accountName}.blob.core.windows.net"), credential); // Get a reference to the container
            var containerClient = blobServiceClient.GetBlobContainerClient(containerName);
            foreach (var blobItem in containerClient.GetBlobs())
            {
                Console.WriteLine(blobItem.Name);
            }
        }
    }
}

    Output:

    08-xx1).html
08-0xx4.html
10-04xx.html
20240409/001.csv
20240409/002.csv
20240409/003.csv
20240409/004.csv
ContactId/10-0xxx).html
ContactId/12xx24.html
ContactId/Adobe Scan 10-Apr-2024.pdf
ContactId/RxxN.html
ContactId/document.PDF
example.png
imp.png
sample3.txt
sample345.txt
test.xlsx

    enter image description here

    Reference:
    Authorize access to blobs using Microsoft Entra ID – Azure Storage | Microsoft Learn

    Login or Signup to reply.
  2. 0

    Exactly what you request is possible with Configure a federated identity credential on an app Configure a federated identity credential on an app. The link before gives you the example on how to configure the managed identity for GitHub – it must be adapted to your identity provider accordingly.

    Then, if you use the MSAL library, you can make sure to get the corresponding access token with this code:

    using Microsoft.Identity.Client;

var app = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithClientAssertion((AssertionRequestOptions options) => FetchExternalTokenAsync())
            .Build()

var result = await app
            .AcquireTokenForClient(scope).ExecuteAsync();

public async Task<string> FetchExternalTokenAsync() 
{
    // logic to get token from cache or other sources, like GitHub, Kubernetes, etc.
     return token;
}

    This should cover your usecase.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search