(airflow) branch main updated: feat(provider/azure): add managed identity support to fileshare hook (#35330)

Wed, 01 Nov 2023 01:37:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 7689db2cc0 feat(provider/azure): add managed identity support to 
fileshare hook (#35330)
7689db2cc0 is described below

commit 7689db2cc03cae80993a32c55df68a259eaffa52
Author: Wei Lee <[email protected]>
AuthorDate: Wed Nov 1 16:37:01 2023 +0800

    feat(provider/azure): add managed identity support to fileshare hook 
(#35330)
---
 .../providers/microsoft/azure/hooks/fileshare.py   | 36 +++++++++++++++++++---
 .../connections/azure_fileshare.rst                | 11 +++++--
 2 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/airflow/providers/microsoft/azure/hooks/fileshare.py 
b/airflow/providers/microsoft/azure/hooks/fileshare.py
index 9cd1ec78c4..16c7218505 100644
--- a/airflow/providers/microsoft/azure/hooks/fileshare.py
+++ b/airflow/providers/microsoft/azure/hooks/fileshare.py
@@ -19,10 +19,10 @@ from __future__ import annotations
 
 from typing import IO, Any
 
-from azure.identity import DefaultAzureCredential
 from azure.storage.fileshare import FileProperties, ShareDirectoryClient, 
ShareFileClient, ShareServiceClient
 
 from airflow.hooks.base import BaseHook
+from airflow.providers.microsoft.azure.utils import 
get_default_azure_credential
 
 
 class AzureFileShareHook(BaseHook):
@@ -68,6 +68,12 @@ class AzureFileShareHook(BaseHook):
             "connection_string": StringField(
                 lazy_gettext("Connection String (optional)"), 
widget=BS3TextFieldWidget()
             ),
+            "managed_identity_client_id": StringField(
+                lazy_gettext("Managed Identity Client ID"), 
widget=BS3TextFieldWidget()
+            ),
+            "workload_identity_tenant_id": StringField(
+                lazy_gettext("Workload Identity Tenant ID"), 
widget=BS3TextFieldWidget()
+            ),
         }
 
     @staticmethod
@@ -84,6 +90,8 @@ class AzureFileShareHook(BaseHook):
                 "password": "secret",
                 "sas_token": "account url or token (optional)",
                 "connection_string": "account url or token (optional)",
+                "managed_identity_client_id": "Managed Identity Client ID",
+                "workload_identity_tenant_id": "Workload Identity Tenant ID",
             },
         }
 
@@ -113,8 +121,16 @@ class AzureFileShareHook(BaseHook):
             credential = self._sas_token or self._account_access_key
             return ShareServiceClient(account_url=self._account_url, 
credential=credential)
         else:
+            conn = self.get_connection(self._conn_id)
+            extras = conn.extra_dejson
+            managed_identity_client_id = 
extras.get("managed_identity_client_id")
+            workload_identity_tenant_id = 
extras.get("workload_identity_tenant_id")
             return ShareServiceClient(
-                account_url=self._account_url, 
credential=DefaultAzureCredential(), token_intent="backup"
+                account_url=self._account_url,
+                credential=get_default_azure_credential(
+                    managed_identity_client_id, workload_identity_tenant_id
+                ),
+                token_intent="backup",
             )
 
     @property
@@ -134,11 +150,17 @@ class AzureFileShareHook(BaseHook):
                 credential=credential,
             )
         else:
+            conn = self.get_connection(self._conn_id)
+            extras = conn.extra_dejson
+            managed_identity_client_id = 
extras.get("managed_identity_client_id")
+            workload_identity_tenant_id = 
extras.get("workload_identity_tenant_id")
             return ShareDirectoryClient(
                 account_url=self._account_url,
                 share_name=self.share_name,
                 directory_path=self.directory_path,
-                credential=DefaultAzureCredential(),
+                credential=get_default_azure_credential(
+                    managed_identity_client_id, workload_identity_tenant_id
+                ),
                 token_intent="backup",
             )
 
@@ -159,11 +181,17 @@ class AzureFileShareHook(BaseHook):
                 credential=credential,
             )
         else:
+            conn = self.get_connection(self._conn_id)
+            extras = conn.extra_dejson
+            managed_identity_client_id = 
extras.get("managed_identity_client_id")
+            workload_identity_tenant_id = 
extras.get("workload_identity_tenant_id")
             return ShareFileClient(
                 account_url=self._account_url,
                 share_name=self.share_name,
                 file_path=self.file_path,
-                credential=DefaultAzureCredential(),
+                credential=get_default_azure_credential(
+                    managed_identity_client_id, workload_identity_tenant_id
+                ),
                 token_intent="backup",
             )
 
diff --git 
a/docs/apache-airflow-providers-microsoft-azure/connections/azure_fileshare.rst 
b/docs/apache-airflow-providers-microsoft-azure/connections/azure_fileshare.rst
index 540e259835..4eb57965fe 100644
--- 
a/docs/apache-airflow-providers-microsoft-azure/connections/azure_fileshare.rst
+++ 
b/docs/apache-airflow-providers-microsoft-azure/connections/azure_fileshare.rst
@@ -27,7 +27,7 @@ The Microsoft Azure File Share connection type enables the 
Azure File Share Inte
 Authenticating to Azure File Share
 ----------------------------------
 
-There are four ways to connect to Azure File Share using Airflow.
+There are five ways to connect to Azure File Share using Airflow.
 
 1. Use `token credentials
    
<https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity>`_
@@ -38,7 +38,8 @@ There are four ways to connect to Azure File Share using 
Airflow.
 3. Use a `Connection String
    
<https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string>`_
    i.e. add connection string to ``connection_string`` in the Airflow 
connection.
-4. Fallback on `DefaultAzureCredential`_.
+4. Use managed identity by setting ``managed_identity_client_id``, 
``workload_identity_tenant_id`` (under the hook, it uses 
DefaultAzureCredential_ with these arguments)
+5. Fallback on `DefaultAzureCredential`_.
    This includes a mechanism to try different options to authenticate: Managed 
System Identity, environment variables, authentication through Azure CLI and 
etc.
 
 Only one authorization method can be used at a time. If you need to manage 
multiple credentials or keys then you should
@@ -69,6 +70,8 @@ Extra (optional)
 
     * ``connection_string``: Connection string for use with connection string 
authentication. It can be left out to fall back on DefaultAzureCredential_.
     * ``sas_token``: SAS Token for use with SAS Token authentication. It can 
be left out to fall back on DefaultAzureCredential_.
+    * ``managed_identity_client_id``:  The client ID of a user-assigned 
managed identity. If provided with `workload_identity_tenant_id`, they'll pass 
to DefaultAzureCredential_.
+    * ``workload_identity_tenant_id``: ID of the application's Microsoft Entra 
tenant. Also called its "directory" ID. If provided with 
`managed_identity_client_id`, they'll pass to DefaultAzureCredential_.
 
 When specifying the connection in environment variable you should specify
 it using URI syntax.
@@ -83,3 +86,7 @@ For example connect with token credentials:
 
 
 .. _DefaultAzureCredential: 
https://docs.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python#defaultazurecredential
+
+.. spelling:word-list::
+
+    Entra

Reply via email to