[aztables] Fix the token audiences of aztables for sovereign clouds (#25534)

xumou-ms · web-flow · commit 663da8762fca · 2025-11-13T10:27:42.000-08:00
Fix the token audiences of aztables in sovereign cloud. Unlike Cosmos, Azure Storage uses the same audience for all clouds, sovereign and public. Fixes #25542
diff --git a/sdk/data/aztables/CHANGELOG.md b/sdk/data/aztables/CHANGELOG.md
@@ -7,6 +7,7 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+* Fix an issue that the Storage Table token audiences for sovereign clouds are incorrect.
 
 ### Other Changes
 
diff --git a/sdk/data/aztables/cloud_config.go b/sdk/data/aztables/cloud_config.go
@@ -11,13 +11,15 @@ import "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 const ServiceName cloud.ServiceName = "data/aztables"
 
 func init() {
+	// for Azure Table Storage endpoints, these values are ignored as the audience is always "https://storage.azure.com"
+	// for Cosmos endpoints, we will use the audiences as specified here
 	cloud.AzureChina.Services[ServiceName] = cloud.ServiceConfiguration{
-		Audience: "https://storage.azure.cn",
+		Audience: "https://cosmos.azure.cn",
 	}
 	cloud.AzureGovernment.Services[ServiceName] = cloud.ServiceConfiguration{
-		Audience: "https://storage.azure.us",
+		Audience: "https://cosmos.azure.us",
 	}
 	cloud.AzurePublic.Services[ServiceName] = cloud.ServiceConfiguration{
-		Audience: "https://storage.azure.com",
+		Audience: "https://cosmos.azure.com",
 	}
 }
diff --git a/sdk/data/aztables/service_client.go b/sdk/data/aztables/service_client.go
@@ -39,9 +39,10 @@ func NewServiceClient(serviceURL string, cred azcore.TokenCredential, options *C
 		return nil, errors.New("cloud configuration is missing for Azure Tables")
 	}
 
-	audience := cfg.Audience
+	// unlike Cosmos, Azure Table Storage uses the same audience for all clouds, public and sovereign.
+	audience := "https://storage.azure.com"
 	if isCosmosEndpoint(serviceURL) {
-		audience = strings.Replace(audience, "storage", "cosmos", 1)
+		audience = cfg.Audience
 	}
 
 	plOpts := runtime.PipelineOptions{
diff --git a/sdk/data/aztables/service_client_test.go b/sdk/data/aztables/service_client_test.go
@@ -482,7 +482,7 @@ func TestNewServiceClient_sovereignClouds(t *testing.T) {
 		{
 			label:    "storage China",
 			endpoint: "https://myAccountName.table.core.windows.net",
-			scope:    "https://storage.azure.cn/.default",
+			scope:    "https://storage.azure.com/.default",
 			cfg:      cloud.AzureChina,
 		},
 		{
@@ -494,7 +494,7 @@ func TestNewServiceClient_sovereignClouds(t *testing.T) {
 		{
 			label:    "storage USGov",
 			endpoint: "https://myAccountName.table.core.windows.net",
-			scope:    "https://storage.azure.us/.default",
+			scope:    "https://storage.azure.com/.default",
 			cfg:      cloud.AzureGovernment,
 		},
 		{

Original file line number	Diff line number	Diff line change
`@@ -11,13 +11,15 @@ import "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"`
`11`	`11`	`const ServiceName cloud.ServiceName = "data/aztables"`
`12`	`12`
`13`	`13`	`func init() {`
	`14`	`+ // for Azure Table Storage endpoints, these values are ignored as the audience is always "https://storage.azure.com"`
	`15`	`+ // for Cosmos endpoints, we will use the audiences as specified here`
`14`	`16`	`cloud.AzureChina.Services[ServiceName] = cloud.ServiceConfiguration{`
`15`		`- Audience: "https://storage.azure.cn",`
	`17`	`+ Audience: "https://cosmos.azure.cn",`
`16`	`18`	`}`
`17`	`19`	`cloud.AzureGovernment.Services[ServiceName] = cloud.ServiceConfiguration{`
`18`		`- Audience: "https://storage.azure.us",`
	`20`	`+ Audience: "https://cosmos.azure.us",`
`19`	`21`	`}`
`20`	`22`	`cloud.AzurePublic.Services[ServiceName] = cloud.ServiceConfiguration{`
`21`		`- Audience: "https://storage.azure.com",`
	`23`	`+ Audience: "https://cosmos.azure.com",`
`22`	`24`	`}`
`23`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,10 @@ func NewServiceClient(serviceURL string, cred azcore.TokenCredential, options *C`
`39`	`39`	`return nil, errors.New("cloud configuration is missing for Azure Tables")`
`40`	`40`	`}`
`41`	`41`
`42`		`- audience := cfg.Audience`
	`42`	`+ // unlike Cosmos, Azure Table Storage uses the same audience for all clouds, public and sovereign.`
	`43`	`+ audience := "https://storage.azure.com"`
`43`	`44`	`if isCosmosEndpoint(serviceURL) {`
`44`		`- audience = strings.Replace(audience, "storage", "cosmos", 1)`
	`45`	`+ audience = cfg.Audience`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	`plOpts := runtime.PipelineOptions{`
Original file line number	Diff line number	Diff line change
`@@ -482,7 +482,7 @@ func TestNewServiceClient_sovereignClouds(t *testing.T) {`
`482`	`482`	`{`
`483`	`483`	`label: "storage China",`
`484`	`484`	`endpoint: "https://myAccountName.table.core.windows.net",`
`485`		`- scope: "https://storage.azure.cn/.default",`
	`485`	`+ scope: "https://storage.azure.com/.default",`
`486`	`486`	`cfg: cloud.AzureChina,`
`487`	`487`	`},`
`488`	`488`	`{`
`@@ -494,7 +494,7 @@ func TestNewServiceClient_sovereignClouds(t *testing.T) {`
`494`	`494`	`{`
`495`	`495`	`label: "storage USGov",`
`496`	`496`	`endpoint: "https://myAccountName.table.core.windows.net",`
`497`		`- scope: "https://storage.azure.us/.default",`
	`497`	`+ scope: "https://storage.azure.com/.default",`
`498`	`498`	`cfg: cloud.AzureGovernment,`
`499`	`499`	`},`
`500`	`500`	`{`