How to fetch token for azure storage account access via azure active directory using service principal or oauth2?

Question

I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python

It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access

are there other ways in fetching token via service principal?

Answer 1

• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, i.e., an app registration by following the steps below as given in the below documentation link: -

https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service

As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it. Once created, then an application will be created in Azure AD with the same ‘Object ID’ as shown in the managed identity section of the web app service. Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the ‘IAM’ tab. So, in your case, you should assign the role of ‘Storage Account Contributor’ to the ‘System-assigned managed identity’ created for the web app service.

• Once, the role has been assigned, then go to the ‘Enterprise application’ and search for the ‘Object ID’ of the managed identity, you will encounter an application with the name of the web app service, in that, go to ‘Permissions’ under ‘Security’ tab and assign the required permissions and admin consent required to the application. The permissions shown are those that are allowed under the scope of ‘Storage Account Contributor’ and similarly, you must assign permissions from it to the app/service principal. Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the ‘DefaultAzureCredential’ from the ‘azure.identity’ module. For this purpose, kindly refer to the below subsection of the above documentation: -

https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application

In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.