Contrib.social

Service principal authentication support instead of account key connection string

Open on Drupal.org →
Created on 14 December 2022, over 2 years ago
Updated 11 February 2025, 7 months ago

Problem/Motivation

Service principal authentication is more secure approach rather than using account key authentication when connecting to Azure Blob storage account. It would be great if this module can support service principal option instead of directly using account key.

Feature request
Status

Active

Version

2.0

Component

Code

Created by

🇮🇳India SHIJU JOHN

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 7 months ago
    🇬🇧United Kingdom siliconmeadow

    I'm looking at this now with the potential of using the Azure Key Vault module and the service it provides so service principal authentication can be used. Just looking at the feasibility at this stage.

  • Comment 7 months ago
    🇬🇧United Kingdom siliconmeadow
  • Comment 2 months ago
    🇬🇧United Kingdom siliconmeadow

    Hi,

    I’ve been working on support for Service Principal authentication using Azure’s REST API instead of the archived/unsupported microsoft/azure-storage-blob library.

    I’d like to propose that this work forms the basis for a new 8.x-3.x branch, as it introduces a REST-first architecture and aligns with the project’s own roadmap goal of supporting private containers.

    Here’s a quick outline of what this new branch includes:

    - A new AzBlobAuthService class to acquire Bearer tokens via Azure AD using client credentials.

    - A new AzBlobRestClient to perform PUT, GET, HEAD, and DELETE operations directly against Azure Blob Storage using the REST API.

    - Updates to the config form and schema to support toggling between sas and service_principal authentication methods.

    - Dependency injection of a dedicated logger.channel.az_blob_fs for modern PSR-3-compatible logging.

    - A AzBlobTestController with routes for verifying upload, download, delete, and existence checks using the new flow (will probably remove that later once the service principal requests are using the stream wrapper.

    - No changes made to existing SDK-based logic, keeping things stable for current users.

    I’ve pushed the full implementation to the 8.x-3.x-dev branch on my fork:
    https://git.drupalcode.org/issue/az_blob_fs-3327278

    Why a 3.x Branch?
    Creating a 3.x branch for this REST-based approach would:

    Help prevent disruption to users of the current SDK-based system (2.x).

    Provide a home for continued REST-first development, including full stream wrapper replacement and removal of the deprecated library.

    Make it easier for others to test and contribute incrementally without conflicting with 2.x stability.

    Happy to follow any process you need to enable this. Let me know if you'd prefer a patch version of this work in the meantime.

    Thanks again for maintaining this module — it’s much appreciated!

  • Comment 2 months ago
    🇬🇧United Kingdom siliconmeadow
  • Comment 2 months ago
    🇬🇧United Kingdom siliconmeadow

    siliconmeadow changed the visibility of the branch 8.x-3.x-dev to hidden.

  • Merge request !24Draft: Add support for Service Principal authentication and Azure REST API → (Open) created by siliconmeadow
  • First commit to issue fork.
  • Comment about 1 month ago
    🇬🇧United Kingdom siliconmeadow

    siliconmeadow changed the visibility of the branch 3327278-service_principal_v2 to hidden.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024