How to use AzureDefaultCredentials with Azure Fluent?

Question

I am trying to create an Azure Function in C# that regenerates storage keys. I'm struggling with finding the correct .NET library where I can authenticate and regenerate the keys.

The easiest way that I have found to authenticate is by using the DefaultAzureCredentials and passing these to BlobClient. But I can't find the option to regenerate keys anywhere on BlobClient.

The only way I found to regenerate keys on a storage account is by using Microsoft.Azure.Management.Fluent but the Fluent API does not support DefaultAzureCredentials. Instead I think I need to use SdkContext.AzureCredentialsFactory which doesn't have the automated fallback on Managed Identity and VS Code that DefaultCredentials has.

• Is there some way to regenerate keys with BlobClient so I can use DefaultAzureCredentials?
• Or is there a way to use DefaultAzureCredentials with the Fluent API?

Answer 1

This is another variant that I just got to work with .NET 5.0. It uses a DefaultAzureCredential and converts it to an AzureCredentials instance. As a test, it then queries the list of ACR instances in the default subscription and prints their names. This variant is useful if you are using one or more other libraries that already support the DefaultAzureCredential.

using System;
using Azure.Core;
using Azure.Identity;
using Microsoft.Azure.Management.ResourceManager.Fluent;

namespace Program
{
    class Program
    {
        static void Main(string[] args)
        {
            var defaultCredential = new DefaultAzureCredential();
            var defaultToken = defaultCredential.GetToken(new TokenRequestContext(new[] { "https://management.azure.com/.default" })).Token;
            var defaultTokenCredentials = new Microsoft.Rest.TokenCredentials(defaultToken);
            var azureCredentials = new Microsoft.Azure.Management.ResourceManager.Fluent.Authentication.AzureCredentials(defaultTokenCredentials, defaultTokenCredentials, null, AzureEnvironment.AzureGlobalCloud);
            var azure = Microsoft.Azure.Management.Fluent.Azure.Configure().Authenticate(azureCredentials).WithDefaultSubscription();
            var acrList = azure.ContainerRegistries.List();
            foreach (var acr in acrList)
            {
                Console.WriteLine(acr.Name);
            }
        }
    }
}

Sources and Inspiration:

• https://mderriey.com/2020/07/17/connect-to-azure-sql-with-aad-and-managed-identities/
• Using authentication token in azure sdk fluent

UPDATE: As Simon Opelt absolutely correctly points out in their comment: For long-running processes (e.g. services), the tokens do expire and their renewal needs to be handled. My sample here is from an Azure Function App that will run for 10 minutes max.

Answer 2

First of all: Yes, the BlobClient (and the entire SDK around that) is only for data plane operations of a Storage Account. Key rotation, however, is a management plane operation. Thus you are right, you need the Management SDK.

I also was looking for this a while ago but couldn't find a way using DefaultAzureCrendtials and the Fluent SDK. I went back to using the AzureServiceTokenProvider which also works totally fine for me:

var tenantId = Environment.GetEnvironmentVariable("tenantId");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var token = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com", tenantId);
var tokenCredentials = new TokenCredentials(token);
log.LogInformation("Got AAD token. Creating Azure client");
var azure = Microsoft.Azure.Management.Fluent.Azure
    .Configure()
    .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
    .Authenticate(new AzureCredentials(tokenCredentials, tokenCredentials, tenantId, AzureEnvironment.AzureGlobalCloud))
    .WithDefaultSubscription();

IIRC tenantId is actually optional if you are targeting the users default tenant.