Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use AZCOPY_OAUTH_TOKEN_INFO to auth in 10.21.0 version #2434

Closed
RobinLin666 opened this issue Oct 30, 2023 · 7 comments · Fixed by #2475
Closed

Cannot use AZCOPY_OAUTH_TOKEN_INFO to auth in 10.21.0 version #2434

RobinLin666 opened this issue Oct 30, 2023 · 7 comments · Fixed by #2475
Assignees
@siminsavani-msft
Labels
bug fixed-in-dev

Comments

@RobinLin666
Copy link

RobinLin666 commented Oct 30, 2023
edited
Loading

Which version of the AzCopy was used?

10.21.0

Note: The version is visible when running AzCopy without any argument

Which platform are you using? (ex: Windows, Mac, Linux)

Linux

What command did you run?

Note: Please remove the SAS to avoid exposing your credentials. If you cannot remember the exact command, please retrieve it from the beginning of the log file.

In Fabric notebook, I want to use azcopy via 'AZCOPY_OAUTH_TOKEN_INFO'. 10.18.1 works, but 10.21.0 breaks.

import os
from trident_token_library_wrapper import PyTridentTokenLibrary
aad_token = PyTridentTokenLibrary.get_access_token("storage")
import jwt, json
token = aad_token
token_json = jwt.decode(token, algorithms='RS256', options={"verify_signature": False})
# token = token[1:]
token_info = {
    "access_token": token,
    "token_type": "Bearer",
    "not_before": token_json.get("nbf", ""),
    "expires_on": token_json.get("exp", ""),
    "expires_in": str(
        int(float(token_json.get("exp", "0")) - float(token_json.get("nbf", "0")))),
    "resource": "https://storage.azure.com",
    "_token_refresh_source": "tokenstore"
}
os.environ.setdefault("AZCOPY_OAUTH_TOKEN_INFO", json.dumps(token_info))

!azcopy list 'https://xxx.blob.core.windows.net/'

What problem was encountered?

INFO: AZCOPY_OAUTH_TOKEN_INFO is set.
INFO: Autologin not specified.
INFO: Authenticating to source using Azure AD

failed to traverse container: cannot list files due to reason no cached token found in Token Store Mode(SE), failed to find token from gnome keyring, Not implemented

How can we reproduce the problem in the simplest way?

Have you found a mitigation/solution?
@siminsavani-msft
Copy link
Contributor

Thank you for reporting this! We are taking a look at this.

@siminsavani-msft
Copy link
Contributor

Hi @RobinLin666 ! AZCOPY_OAUTH_TOKEN_INFO is for internal usage only, see the comment from the AzCopy codebase below.

azure-storage-azcopy/common/environment.go

Lines 309 to 312 in 7f3ebae

// OAuthTokenInfo is only used for internal integration.
func (EnvironmentVariable) OAuthTokenInfo() EnvironmentVariable {
return EnvironmentVariable{Name: "AZCOPY_OAUTH_TOKEN_INFO"}
}

With this being said, was this working for you in previous versions?

Additionally, we recommend all our customers follow this documentation (https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-authorize-azure-active-directory) in regard to authorizing with AzCopy.

@RobinLin666
Copy link
Author

Hi @siminsavani-msft,
Thank you very much for your reply!
I have read the doc but I didn't find a way to authorizing with AAD Token.

This is how I use it in v10.18.1.

import os
aad_token = mssparkutils.credential.getToken("storage")
import jwt, json
token = aad_token
token_json = jwt.decode(token, algorithms='RS256', options={"verify_signature": False})
print(token_json)
# token = token[1:]
token_info = {
    "access_token": token,
    "token_type": "Bearer",
    "not_before": token_json.get("nbf", ""),
    "expires_on": token_json.get("exp", ""),
    "expires_in": str(
        int(float(token_json.get("exp", "0")) - float(token_json.get("nbf", "0")))),
    "resource": "https://storage.azure.com",
    "_token_refresh_source": "tokenstore"
}
os.environ.setdefault("AZCOPY_OAUTH_TOKEN_INFO", json.dumps(token_info))
 
# run bash shell
!azcopy list https://xxx.blob.core.windows.net/xxx

@siminsavani-msft
Copy link
Contributor

siminsavani-msft commented Nov 7, 2023
edited
Loading

@RobinLin666 AAD has been renamed to Entra ID. The documentation contains the latest way to authorize with AzCopy. I would recommend checking out the managed identity or service principal sections of the doc.

I'll continue investigating the AZCOPY_OAUTH_TOKEN_INFO and update this thread accordingly. In the meantime, I would recommend updating your script to use the suggested methods.

@RobinLin666
Copy link
Author

Thank you very much, I will check the doc.

@siminsavani-msft
Copy link
Contributor

Just an update, I was able to repro your issue and have marked this as a bug.

We will continue working on this issue and update the thread with a fix in the next few upcoming releases.

@siminsavani-msft siminsavani-msft self-assigned this Nov 8, 2023
@nakulkar-msft nakulkar-msft linked a pull request Dec 1, 2023 that will close this issue
Fix tokenstore credential #2475
Merged
@gapra-msft
Copy link
Member

The 10.22.0 version was just released and the above PR was included in the release. Closing this issue as a result.

Please feel free to open a new issue if you are experiencing any issues with latest AzCopy and we are happy to help.

@BrewTestBot BrewTestBot mentioned this issue Dec 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@siminsavani-msft siminsavani-msft

Labels
bug fixed-in-dev
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix tokenstore credential Azure/azure-storage-azcopy
3 participants
@gapra-msft @siminsavani-msft @RobinLin666