[Storage] Migrate from ClientSecretCredential to `DefaultAzureCrede…

…ntial` in Samples (#36664)

sdk/storage/azure-storage-blob/azure/storage/blob/_blob_service_client.py

@@ -115,7 +115,7 @@ class BlobServiceClient(StorageAccountHostsMixin, StorageEncryptionMixin):
             :end-before: [END create_blob_service_client_oauth]
             :language: python
             :dedent: 8
-            :caption: Creating the BlobServiceClient with Azure Identity credentials.
+            :caption: Creating the BlobServiceClient with Default Azure Identity credentials.
     """
 
     def __init__(

sdk/storage/azure-storage-blob/samples/blob_samples_authentication.py

@@ -20,9 +20,6 @@
     2) OAUTH_STORAGE_ACCOUNT_NAME - the oauth storage account name
     3) AZURE_STORAGE_ACCOUNT_NAME - the name of the storage account
     4) AZURE_STORAGE_ACCESS_KEY - the storage account access key
-    5) ACTIVE_DIRECTORY_APPLICATION_ID - Azure Active Directory application ID
-    6) ACTIVE_DIRECTORY_APPLICATION_SECRET - Azure Active Directory application secret
-    7) ACTIVE_DIRECTORY_TENANT_ID - Azure Active Directory tenant ID
 """
 
 import os
@@ -38,9 +35,6 @@ class AuthSamples(object):
 
     connection_string = os.getenv("AZURE_STORAGE_CONNECTION_STRING")
     shared_access_key = os.getenv("AZURE_STORAGE_ACCESS_KEY")
-    active_directory_application_id = os.getenv("ACTIVE_DIRECTORY_APPLICATION_ID")
-    active_directory_application_secret = os.getenv("ACTIVE_DIRECTORY_APPLICATION_SECRET")
-    active_directory_tenant_id = os.getenv("ACTIVE_DIRECTORY_TENANT_ID")
 
     def auth_connection_string(self):
         if self.connection_string is None:
@@ -93,28 +87,6 @@ def auth_blob_url(self):
         blob_client = BlobClient.from_blob_url(sas_url)
         # [END create_blob_client_sas_url]
 
-    def auth_active_directory(self):
-        if self.active_directory_tenant_id is None or self.active_directory_application_id is None or self.active_directory_application_secret is None:
-            print("Missing required environment variable(s). Please see specific test for more details." + '\n' +
-                  "Test: auth_active_directory")
-            sys.exit(1)
-        # [START create_blob_service_client_oauth]
-        # Get a token credential for authentication
-        from azure.identity import ClientSecretCredential
-        token_credential = ClientSecretCredential(
-            self.active_directory_tenant_id,
-            self.active_directory_application_id,
-            self.active_directory_application_secret
-        )
-
-        # Instantiate a BlobServiceClient using a token credential
-        from azure.storage.blob import BlobServiceClient
-        blob_service_client = BlobServiceClient(account_url=self.oauth_url, credential=token_credential)
-        # [END create_blob_service_client_oauth]
-
-        # Get account information for the Blob Service
-        account_info = blob_service_client.get_service_properties()
-
     def auth_shared_access_signature(self):
         if self.connection_string is None:
             print("Missing required environment variable: AZURE_STORAGE_CONNECTION_STRING." + '\n' +
@@ -139,7 +111,7 @@ def auth_shared_access_signature(self):
         # [END create_sas_token]
 
     def auth_default_azure_credential(self):
-        # [START create_blob_service_client_oauth_default_credential]
+        # [START create_blob_service_client_oauth]
         # Get a credential for authentication
         # Default Azure Credentials attempt a chained set of authentication methods, per documentation here: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity
         # For example user (who must be an Azure Event Hubs Data Owner role) to be logged in can be specified by the environment variable AZURE_USERNAME
@@ -154,15 +126,14 @@ def auth_default_azure_credential(self):
             account_url=self.oauth_url,
             credential=default_credential
         )
-        # [END create_blob_service_client_oauth_default_credential]
+        # [END create_blob_service_client_oauth]
 
         # Get account information for the Blob Service
         account_info = blob_service_client.get_service_properties()
 
 if __name__ == '__main__':
     sample = AuthSamples()
     sample.auth_connection_string()
-    sample.auth_active_directory()
     sample.auth_shared_access_signature()
     sample.auth_blob_url()
     sample.auth_default_azure_credential()

sdk/storage/azure-storage-blob/samples/blob_samples_authentication_async.py

@@ -20,9 +20,6 @@
     2) OAUTH_STORAGE_ACCOUNT_NAME - the oauth storage account name
     3) AZURE_STORAGE_ACCOUNT_NAME - the name of the storage account
     4) AZURE_STORAGE_ACCESS_KEY - the storage account access key
-    5) ACTIVE_DIRECTORY_APPLICATION_ID - Azure Active Directory application ID
-    6) ACTIVE_DIRECTORY_APPLICATION_SECRET - Azure Active Directory application secret
-    7) ACTIVE_DIRECTORY_TENANT_ID - Azure Active Directory tenant ID
 """
 
 
@@ -40,9 +37,6 @@ class AuthSamplesAsync(object):
 
     connection_string = os.getenv("AZURE_STORAGE_CONNECTION_STRING")
     shared_access_key = os.getenv("AZURE_STORAGE_ACCESS_KEY")
-    active_directory_application_id = os.getenv("ACTIVE_DIRECTORY_APPLICATION_ID")
-    active_directory_application_secret = os.getenv("ACTIVE_DIRECTORY_APPLICATION_SECRET")
-    active_directory_tenant_id = os.getenv("ACTIVE_DIRECTORY_TENANT_ID")
 
     async def auth_connection_string_async(self):
         if self.connection_string is None:
@@ -89,25 +83,6 @@ async def auth_blob_url_async(self):
         blob_client = BlobClient.from_blob_url(sas_url)
         # [END create_blob_client_sas_url]
 
-    async def auth_active_directory_async(self):
-        if self.active_directory_tenant_id is None or self.active_directory_application_id is None or self.active_directory_application_secret is None:
-            print("Missing required environment variable(s). Please see specific test for more details." + '\n' +
-                  "Test: auth_active_directory_async")
-            sys.exit(1)
-        # [START create_blob_service_client_oauth]
-        # Get a token credential for authentication
-        from azure.identity.aio import ClientSecretCredential
-        token_credential = ClientSecretCredential(
-            self.active_directory_tenant_id,
-            self.active_directory_application_id,
-            self.active_directory_application_secret
-        )
-
-        # Instantiate a BlobServiceClient using a token credential
-        from azure.storage.blob.aio import BlobServiceClient
-        blob_service_client = BlobServiceClient(account_url=self.oauth_url, credential=token_credential)
-        # [END create_blob_service_client_oauth]
-
     async def auth_shared_access_signature_async(self):
         if self.connection_string is None:
             print("Missing required environment variable: AZURE_STORAGE_CONNECTION_STRING." + '\n' +
@@ -132,7 +107,7 @@ async def auth_shared_access_signature_async(self):
         # [END create_sas_token]
 
     async def auth_default_azure_credential(self):
-        # [START create_blob_service_client_oauth_default_credential]
+        # [START create_blob_service_client_oauth]
         # Get a credential for authentication
         # Default Azure Credentials attempt a chained set of authentication methods, per documentation here: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity
         # For example user (who must be an Azure Event Hubs Data Owner role) to be logged in can be specified by the environment variable AZURE_USERNAME
@@ -147,15 +122,14 @@ async def auth_default_azure_credential(self):
             account_url=self.oauth_url,
             credential=default_credential
         )
-        # [END create_blob_service_client_oauth_default_credential]
+        # [END create_blob_service_client_oauth]
 
         # Get account information for the Blob Service
         account_info = await blob_service_client.get_service_properties()
 
 async def main():
     sample = AuthSamplesAsync()
     await sample.auth_connection_string_async()
-    await sample.auth_active_directory_async()
     await sample.auth_shared_access_signature_async()
     await sample.auth_blob_url_async()
     await sample.auth_default_azure_credential()

sdk/storage/azure-storage-blob/samples/blob_samples_client_side_encryption_keyvault.py

@@ -32,7 +32,7 @@
 import sys
 import uuid
 
-from azure.identity import ClientSecretCredential
+from azure.identity import DefaultAzureCredential
 
 from azure.keyvault.keys.crypto import CryptographyClient, KeyWrapAlgorithm
 from azure.keyvault.keys import KeyVaultKey, KeyType
@@ -89,14 +89,8 @@ def get_kid(self):
 storage_url = get_env_var(STORAGE_URL)
 keyvault_url = get_env_var(KEYVAULT_URL)
 
-# Retrieve service principal values from environment variables
-# The service principal can be created using Azure CLI's `az ad sp create-for-rbac` command.
-tenant_id = get_env_var(TENANT_ID)
-client_id = get_env_var(CLIENT_ID)  # aka appId in AzureCLI
-client_secret = get_env_var(CLIENT_SECRET)  # aka password in AzureCLI
-
 # Construct a token credential for use by Storage and KeyVault clients.
-credential = ClientSecretCredential(tenant_id, client_id, client_secret)
+credential = DefaultAzureCredential()
 secret_client = SecretClient(keyvault_url, credential=credential)
 
 # The secret is url-safe base64 encoded bytes, content type 'application/octet-stream'

sdk/storage/azure-storage-file-datalake/samples/datalake_samples_service.py

@@ -20,9 +20,6 @@
     Set the environment variables with your own values before running the sample:
     1) AZURE_STORAGE_CONNECTION_STRING
     2) STORAGE_ACCOUNT_NAME
-    3) ACTIVE_DIRECTORY_APPLICATION_ID
-    4) ACTIVE_DIRECTORY_APPLICATION_SECRET
-    5) ACTIVE_DIRECTORY_TENANT_ID
 """
 
 import os
@@ -32,9 +29,6 @@ class DataLakeServiceSamples(object):
 
     connection_string = os.environ['AZURE_STORAGE_CONNECTION_STRING']
     account_name = os.getenv('STORAGE_ACCOUNT_NAME', "")
-    active_directory_application_id = os.getenv("ACTIVE_DIRECTORY_APPLICATION_ID")
-    active_directory_application_secret = os.getenv("ACTIVE_DIRECTORY_APPLICATION_SECRET")
-    active_directory_tenant_id = os.getenv("ACTIVE_DIRECTORY_TENANT_ID")
 
     #--Begin DataLake Service Samples-----------------------------------------------------------------
 
@@ -48,12 +42,8 @@ def data_lake_service_sample(self):
 
         # Instantiate a DataLakeServiceClient Azure Identity credentials.
         # [START create_datalake_service_client_oauth]
-        from azure.identity import ClientSecretCredential
-        token_credential = ClientSecretCredential(
-            self.active_directory_tenant_id,
-            self.active_directory_application_id,
-            self.active_directory_application_secret,
-        )
+        from azure.identity import DefaultAzureCredential
+        token_credential = DefaultAzureCredential()
         datalake_service_client = DataLakeServiceClient("https://{}.dfs.core.windows.net".format(self.account_name),
                                                         credential=token_credential)
         # [END create_datalake_service_client_oauth]

sdk/storage/azure-storage-file-datalake/samples/datalake_samples_service_async.py

@@ -20,9 +20,6 @@
     Set the environment variables with your own values before running the sample:
     1) AZURE_STORAGE_CONNECTION_STRING
     2) STORAGE_ACCOUNT_NAME
-    3) ACTIVE_DIRECTORY_APPLICATION_ID
-    4) ACTIVE_DIRECTORY_APPLICATION_SECRET
-    5) ACTIVE_DIRECTORY_TENANT_ID
 """
 
 import asyncio
@@ -31,9 +28,6 @@
 
 connection_string = os.environ['AZURE_STORAGE_CONNECTION_STRING']
 account_name = os.getenv('STORAGE_ACCOUNT_NAME', "")
-active_directory_application_id = os.getenv("ACTIVE_DIRECTORY_APPLICATION_ID")
-active_directory_application_secret = os.getenv("ACTIVE_DIRECTORY_APPLICATION_SECRET")
-active_directory_tenant_id = os.getenv("ACTIVE_DIRECTORY_TENANT_ID")
 
 #--Begin DataLake Service Samples-----------------------------------------------------------------
 
@@ -47,12 +41,8 @@ async def main():
 
     # Instantiate a DataLakeServiceClient Azure Identity credentials.
     # [START create_datalake_service_client_oauth]
-    from azure.identity.aio import ClientSecretCredential
-    token_credential = ClientSecretCredential(
-        active_directory_tenant_id,
-        active_directory_application_id,
-        active_directory_application_secret,
-    )
+    from azure.identity.aio import DefaultAzureCredential
+    token_credential = DefaultAzureCredential()
     datalake_service_client = DataLakeServiceClient("https://{}.dfs.core.windows.net".format(account_name),
                                                     credential=token_credential)
     # [END create_datalake_service_client_oauth]

sdk/storage/azure-storage-queue/azure/storage/queue/_queue_service_client.py

@@ -87,11 +87,11 @@ class QueueServiceClient(StorageAccountHostsMixin, StorageEncryptionMixin):
             :caption: Creating the QueueServiceClient with an account url and credential.
 
         .. literalinclude:: ../samples/queue_samples_authentication.py
-            :start-after: [START create_queue_service_client_token]
-            :end-before: [END create_queue_service_client_token]
+            :start-after: [START create_queue_service_client_oauth]
+            :end-before: [END create_queue_service_client_oauth]
             :language: python
             :dedent: 8
-            :caption: Creating the QueueServiceClient with Azure Identity credentials.
+            :caption: Creating the QueueServiceClient with Default Azure Identity credentials.
     """
 
     def __init__(

sdk/storage/azure-storage-queue/azure/storage/queue/aio/_queue_service_client_async.py

@@ -82,11 +82,11 @@ class QueueServiceClient(AsyncStorageAccountHostsMixin, StorageAccountHostsMixin
             :caption: Creating the QueueServiceClient with an account url and credential.
 
         .. literalinclude:: ../samples/queue_samples_authentication_async.py
-            :start-after: [START async_create_queue_service_client_token]
-            :end-before: [END async_create_queue_service_client_token]
+            :start-after: [START async_create_queue_service_client_oauth]
+            :end-before: [END async_create_queue_service_client_oauth]
             :language: python
             :dedent: 8
-            :caption: Creating the QueueServiceClient with Azure Identity credentials.
+            :caption: Creating the QueueServiceClient with Default Azure Identity credentials.
     """
 
     def __init__(

sdk/storage/azure-storage-queue/samples/queue_samples_authentication.py

@@ -23,9 +23,6 @@
     2) AZURE_STORAGE_ACCOUNT_URL - the queue service account URL
     3) AZURE_STORAGE_ACCOUNT_NAME - the name of the storage account
     4) AZURE_STORAGE_ACCESS_KEY - the storage account access key
-    5) ACTIVE_DIRECTORY_APPLICATION_ID - Azure Active Directory application ID
-    6) ACTIVE_DIRECTORY_APPLICATION_SECRET - Azure Active Directory application secret
-    7) ACTIVE_DIRECTORY_TENANT_ID - Azure Active Directory tenant ID
 """
 
 
@@ -42,10 +39,6 @@ class QueueAuthSamples(object):
     account_name = os.getenv("AZURE_STORAGE_ACCOUNT_NAME")
     access_key = os.getenv("AZURE_STORAGE_ACCESS_KEY")
 
-    active_directory_application_id = os.getenv("ACTIVE_DIRECTORY_APPLICATION_ID")
-    active_directory_application_secret = os.getenv("ACTIVE_DIRECTORY_APPLICATION_SECRET")
-    active_directory_tenant_id = os.getenv("ACTIVE_DIRECTORY_TENANT_ID")
-
     def authentication_by_connection_string(self):
         if self.connection_string is None:
             print("Missing required environment variable(s). Please see specific test for more details." + '\n' +
@@ -76,29 +69,21 @@ def authentication_by_shared_key(self):
         # Get information for the Queue Service
         properties = queue_service.get_service_properties()
 
-    def authentication_by_active_directory(self):
-        if (self.active_directory_tenant_id is None or
-            self.active_directory_application_id is None or
-            self.active_directory_application_secret is None or
-            self.account_url is None
-        ):
+    def authentication_by_oauth(self):
+        if self.account_url is None:
             print("Missing required environment variable(s). Please see specific test for more details." + '\n' +
-                  "Test: authentication_by_active_directory")
+                  "Test: authentication_by_oauth")
             sys.exit(1)
 
-        # [START create_queue_service_client_token]
+        # [START create_queue_service_client_oauth]
         # Get a token credential for authentication
-        from azure.identity import ClientSecretCredential
-        token_credential = ClientSecretCredential(
-            self.active_directory_tenant_id,
-            self.active_directory_application_id,
-            self.active_directory_application_secret
-        )
+        from azure.identity import DefaultAzureCredential
+        token_credential = DefaultAzureCredential()
 
         # Instantiate a QueueServiceClient using a token credential
         from azure.storage.queue import QueueServiceClient
         queue_service = QueueServiceClient(account_url=self.account_url, credential=token_credential)
-        # [END create_queue_service_client_token]
+        # [END create_queue_service_client_oauth]
 
         # Get information for the Queue Service
         properties = queue_service.get_service_properties()
@@ -138,5 +123,5 @@ def authentication_by_shared_access_signature(self):
     sample = QueueAuthSamples()
     sample.authentication_by_connection_string()
     sample.authentication_by_shared_key()
-    sample.authentication_by_active_directory()
+    sample.authentication_by_oauth()
     sample.authentication_by_shared_access_signature()