Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make DefaultAzureCredential as default credential method instead of anonymous access? #348

Open
QianqianNie opened this issue Sep 13, 2022 · 5 comments
Open

Make DefaultAzureCredential as default credential method instead of anonymous access? #348

QianqianNie opened this issue Sep 13, 2022 · 5 comments

Comments

@QianqianNie
Copy link

Hi there

what do you think of making DefaultAzureCredential as the default credential method instead of anonymouns access because I think that is the most common use case.
@agrinh
Copy link

agrinh commented Sep 14, 2022

+1, that would be great.

@TomAugspurger
Copy link
Contributor

TomAugspurger commented Sep 14, 2022
edited
Loading

xref #250, where this was implemented but then reverted. I think we can do this, but we'll need a deprecation cycle.

I was somewhat worried that this would be too noisy of a deprecation, but if we think that the majority of users are specifying credential anyway (which I think they are) then the only people affected are those relying on credential="anon".

So +1 to deprecating the current default with a FutureWarning and then moving to DefaultAzureCredential in a later future.

[edit]: One slight modification: this would need to interact carefully with a SAS token in the URL. From the azure docs:

The credentials with which to authenticate. This is optional if the account URL already has a SAS token. The value can be a SAS token string, an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials, an account shared access key, or an instance of a TokenCredentials class from azure.identity. If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential

  • except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError. If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key" should be the storage account key.

@JoostvDoorn
Copy link
Contributor

Is there any way to move this forward? There are some libraries that do not expose fsspec storage options because they assume the anon=False logic like in s3, and I suppose azure is not their main target audience. As a workaround would it be possible to add an env option to disable anon access before we transition to anon=False by default?

@JoostvDoorn JoostvDoorn mentioned this issue Jan 27, 2023
Closed
@agrinh
Copy link

agrinh commented Feb 1, 2023

I'm with @JoostvDoorn, this is a bit of a headache. There needs to be some mechanism to override this without explicit access to the storage options until the default can be changed. Either an env variable or some override in the URL itself.

@agrinh agrinh mentioned this issue Feb 21, 2023
Open
@JoostvDoorn
Copy link
Contributor

For those interested in this fsspec/filesystem_spec#1194 provides a generic alternative solution (make sure to update fsspec as it's pretty recent addition). You can pass a default argument to FSSPEC for specific implementations through an env variable as follows:

os.environ["FSSPEC_ABFS"] = """
{
  "anon": false
}
"""

I'll be closing my PR (#393) as it's not getting any traction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TomAugspurger @JoostvDoorn @agrinh @QianqianNie