-
Notifications
You must be signed in to change notification settings - Fork 219
Improved login support for AzCopy commands (with in memory secret store)
Starting AzCopy 10.7.0, (make, list, copy, and sync) commands can authenticate to Azure storage by picking up Azure Active Directory credentials from environment variables, without the need to first invoke the login command. AzCopy does not store the AAD token on disk, and discards it after the AzCopy operation ends. Also, please note that these credentials cannot be used to login to Azure Files, which still requires a SAS key.
By default, AzCopy attempts to login to default tenant, and AAD endpoint for Azure public cloud (https://login.microsoftonline.com). To override this, set the environment variables AZCOPY_TENANT_ID, and AZCOPY_ACTIVE_DIRECTORY_ENDPOINT appropriately.
Set the environment variable "AZCOPY_AUTO_LOGIN_TYPE" to "SPN" and "AZCOPY_SPA_APPLICATION_ID" to application ID of the Service Principal used to login.
export AZCOPY_AUTO_LOGIN_TYPE="SPN"
export AZCOPY_SPA_APPLICATION_ID=<>
- To use client secret with SPA, set "AZCOPY_SPA_CLIENT_SECRET" to client secret.
export AZCOPY_SPA_CLIENT_SECRET=<> - To use certificate, set "AZCOPY_SPA_CERT_PATH" to certificate path, and "AZCOPY_SPA_CERT_PASSWORD" to password used to decrypt the certificate path.
export AZCOPY_SPA_CERT_PATH=/path/to/cert
export AZCOPY_SPA_CERT_PASSWORD=<>
Further invocation of AzCopy will use these credentials, and below message can be seen.
[user@machine:~]$ azcopy list https://<account>.blob.core.windows.net
INFO: SPN Auth via secret succeeded.
INFO: Authenticating to destination using Azure AD
Set variable "AZCOPY_AUTO_LOGIN_TYPE" to "MSI". If you're using System-assigned identity, this is all that needs to be done.
To authenticate using User-assigned identity,
- To use Client ID of user-assigned identity, set "AZCOPY_MSI_CLIENT_ID"
- To use Object ID, set "AZCOPY_MSI_OBJECT_ID"
- To use Resource string, set "AZCOPY_MSI_RESOURCE_STRING"
You can verify by invoking any AzCopy command.
[user@azurevm:~]$ azcopy list https://<account>.blob.core.windows.net
INFO: Login with identity succeeded.
INFO: Authenticating to destination using Azure AD
[user@machine:~]$ export AZCOPY_AUTO_LOGIN_TYPE=DEVICE
[user@machine:~]$ azcopy list https://<account>.blob.core.windows.net
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AWRKVXE8P to authenticate.
INFO: Logging in under the "Common" tenant. This will log the account in under its home tenant.