[Tables] Add AAD sample (#33717)

Yalin Li · web-flow · commit d10e62d7276b · 2024-01-09T17:27:40.000-08:00
* Add AAD sample

* Update code snippet in README

* Run black

* Address comments

* Remove SNIPPET annotations

* Run black
diff --git a/sdk/tables/azure-data-tables/README.md b/sdk/tables/azure-data-tables/README.md
@@ -55,6 +55,7 @@ The `credential` parameter may be provided in a number of different forms, depen
 * Shared Key
 * Connection String
 * Shared Access Signature Token
+* TokenCredential(AAD)(Supported on Storage)
 
 ##### Creating the client from a shared key
 To use an account [shared key][azure_shared_key] (aka account key or access key), provide the key as a string. This can be found in your storage account in the [Azure Portal][azure_portal_account_url] under the "Access Keys" section or by running the following Azure CLI command:
@@ -64,13 +65,17 @@ az storage account keys list -g MyResourceGroup -n MyStorageAccount
 ```
 
 Use the key as the credential parameter to authenticate the client:
+
 ```python
-from azure.core.credentials import AzureNamedKeyCredential
 from azure.data.tables import TableServiceClient
+from azure.core.credentials import AzureNamedKeyCredential
 
 credential = AzureNamedKeyCredential("my_account_name", "my_access_key")
-
-service = TableServiceClient(endpoint="https://<my_account_name>.table.core.windows.net", credential=credential)
+with TableServiceClient(
+    endpoint="https://<my_account_name>.table.core.windows.net", credential=credential
+) as table_service_client:
+    properties = table_service_client.get_service_properties()
+    print(f"{properties}")
 ```
 
 ##### Creating the client from a connection string
@@ -92,8 +97,11 @@ Create a client from a connection string:
 
 ```python
 from azure.data.tables import TableServiceClient
+
 connection_string = "AccountName=<my_account_name>;AccountKey=<my_account_key>;EndpointSuffix=<endpoint_suffix>"
-service = TableServiceClient.from_connection_string(conn_str=connection_string)
+with TableServiceClient.from_connection_string(conn_str=connection_string) as table_service_client:
+    properties = table_service_client.get_service_properties()
+    print(f"{properties}")
 ```
 
 ##### Creating the client from a SAS token
@@ -105,16 +113,38 @@ from azure.data.tables import TableServiceClient, generate_account_sas, Resource
 from azure.core.credentials import AzureNamedKeyCredential, AzureSasCredential
 
 credential = AzureNamedKeyCredential("my_account_name", "my_access_key")
+# Create a SAS token to use for authentication of a client
 sas_token = generate_account_sas(
     credential,
     resource_types=ResourceTypes(service=True),
     permission=AccountSasPermissions(read=True),
     expiry=datetime.utcnow() + timedelta(hours=1),
 )
 
-table_service_client = TableServiceClient(endpoint="https://<my_account_name>.table.core.windows.net", credential=AzureSasCredential(sas_token))
+with TableServiceClient(
+    endpoint="https://<my_account_name>.table.core.windows.net", credential=AzureSasCredential(sas_token)
+) as table_service_client:
+    properties = table_service_client.get_service_properties()
+    print(f"{properties}")
 ```
 
+##### Creating the client from a TokenCredential
+Azure Tables provides integration with Azure Active Directory(Azure AD) for identity-based authentication of requests to the Table service when targeting a Storage endpoint. With Azure AD, you can use role-based access control(RBAC) to grant access to your Azure Table resources to users, groups, or applications.
+
+To access a table resource with a TokenCredential, the authenticated identity should have either the "Storage Table Data Contributor" or "Storage Table Data Reader" role.
+
+With the `azure-identity` package, you can seamlessly authorize requests in both development and production environments. To learn more about Azure AD integration in Azure Storage, see the [azure-identity README](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md)
+
+```python
+from azure.data.tables import TableServiceClient
+from azure.identity import DefaultAzureCredential
+
+with TableServiceClient(
+    endpoint="https://<my_account_name>.table.core.windows.net", credential=DefaultAzureCredential()
+) as table_service_client:
+    properties = table_service_client.get_service_properties()
+    print(f"{properties}")
+```
 
 ## Key concepts
 Common uses of the Table service included:
@@ -223,7 +253,7 @@ table_client = TableClient.from_connection_string(conn_str="<connection_string>"
 entities = table_client.query_entities(my_filter)
 for entity in entities:
     for key in entity.keys():
-        print("Key: {}, Value: {}".format(key, entity[key]))
+        print(f"Key: {key}, Value: {entity[key]}")
 ```
 
 ## Optional Configuration
@@ -283,7 +313,7 @@ tc = service_client.create_table_if_not_exists(table_name)
 try:
     service_client.create_table(table_name)
 except HttpResponseError:
-    print("Table with name {} already exists".format(table_name))
+    print(f"Table with name {table_name} already exists")
 ```
 
 ### Logging
diff --git a/sdk/tables/azure-data-tables/samples/async_samples/sample_authentication_async.py b/sdk/tables/azure-data-tables/samples/async_samples/sample_authentication_async.py
@@ -15,6 +15,7 @@
         * shared access key
         * generating a sas token with which the returned signature can be used with
     the credential parameter of any TableServiceClient or TableClient
+        * Azure Active Directory(AAD)
 
 USAGE:
     python sample_authentication_async.py
@@ -23,9 +24,13 @@
     1) TABLES_STORAGE_ENDPOINT_SUFFIX - the Table service account URL suffix
     2) TABLES_STORAGE_ACCOUNT_NAME - the name of the storage account
     3) TABLES_PRIMARY_STORAGE_ACCOUNT_KEY - the storage account access key
+    The following environment variables are required for using azure-identity's DefaultAzureCredential.
+    For more information, please refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential
+    4) AZURE_TENANT_ID - the tenant ID in Azure Active Directory
+    5) AZURE_CLIENT_ID - the application (client) ID registered in the AAD tenant
+    6) AZURE_CLIENT_SECRET - the client secret for the registered application
 """
 
-from datetime import datetime, timedelta
 import os
 import asyncio
 from dotenv import find_dotenv, load_dotenv
@@ -41,38 +46,37 @@ def __init__(self):
         self.connection_string = f"DefaultEndpointsProtocol=https;AccountName={self.account_name};AccountKey={self.access_key};EndpointSuffix={self.endpoint_suffix}"
 
     async def authentication_by_connection_string(self):
-        # Instantiate a TableServiceClient using a connection string
+        print("Instantiate a TableServiceClient using a connection string")
         # [START auth_from_connection_string]
         from azure.data.tables.aio import TableServiceClient
 
-        async with TableServiceClient.from_connection_string(conn_str=self.connection_string) as table_service:
-            properties = await table_service.get_service_properties()
-            print(f"Connection String: {properties}")
+        async with TableServiceClient.from_connection_string(conn_str=self.connection_string) as table_service_client:
+            properties = await table_service_client.get_service_properties()
+            print(f"{properties}")
         # [END auth_from_connection_string]
 
     async def authentication_by_shared_key(self):
-        # Instantiate a TableServiceClient using a shared access key
+        print("Instantiate a TableServiceClient using a shared access key")
         # [START auth_from_shared_key]
         from azure.data.tables.aio import TableServiceClient
         from azure.core.credentials import AzureNamedKeyCredential
 
         credential = AzureNamedKeyCredential(self.account_name, self.access_key)
-        async with TableServiceClient(endpoint=self.endpoint, credential=credential) as table_service:
-            properties = await table_service.get_service_properties()
-            print(f"Shared Key: {properties}")
+        async with TableServiceClient(endpoint=self.endpoint, credential=credential) as table_service_client:
+            properties = await table_service_client.get_service_properties()
+            print(f"{properties}")
         # [END auth_from_shared_key]
 
     async def authentication_by_shared_access_signature(self):
-        # Instantiate a TableServiceClient using a connection string
+        print("Instantiate a TableServiceClient using a connection string")
         # [START auth_by_sas]
+        from datetime import datetime, timedelta
         from azure.data.tables.aio import TableServiceClient
-        from azure.core.credentials import AzureNamedKeyCredential, AzureSasCredential
-
-        # Create a SAS token to use for authentication of a client
         from azure.data.tables import generate_account_sas, ResourceTypes, AccountSasPermissions
+        from azure.core.credentials import AzureNamedKeyCredential, AzureSasCredential
 
-        print(f"Account name: {self.account_name}")
         credential = AzureNamedKeyCredential(self.account_name, self.access_key)
+        # Create a SAS token to use for authentication of a client
         sas_token = generate_account_sas(
             credential,
             resource_types=ResourceTypes(service=True),
@@ -82,17 +86,31 @@ async def authentication_by_shared_access_signature(self):
 
         async with TableServiceClient(
             endpoint=self.endpoint, credential=AzureSasCredential(sas_token)
-        ) as token_auth_table_service:
-            properties = await token_auth_table_service.get_service_properties()
-            print(f"Shared Access Signature: {properties}")
+        ) as table_service_client:
+            properties = await table_service_client.get_service_properties()
+            print(f"{properties}")
         # [END auth_by_sas]
 
+    async def authentication_by_AAD(self):
+        print("Instantiate a TableServiceClient using a TokenCredential")
+        # [START auth_from_aad]
+        from azure.data.tables.aio import TableServiceClient
+        from azure.identity.aio import DefaultAzureCredential
+
+        async with TableServiceClient(
+            endpoint=self.endpoint, credential=DefaultAzureCredential()
+        ) as table_service_client:
+            properties = await table_service_client.get_service_properties()
+            print(f"{properties}")
+        # [END auth_from_aad]
+
 
 async def main():
     sample = TableAuthSamples()
     await sample.authentication_by_connection_string()
     await sample.authentication_by_shared_key()
     await sample.authentication_by_shared_access_signature()
+    await sample.authentication_by_AAD()
 
 
 if __name__ == "__main__":
diff --git a/sdk/tables/azure-data-tables/samples/sample_authentication.py b/sdk/tables/azure-data-tables/samples/sample_authentication.py
@@ -15,6 +15,7 @@
         * shared access key
         * generating a sas token with which the returned signature can be used with
     the credential parameter of any TableServiceClient or TableClient
+        * Azure Active Directory(AAD)
 
 USAGE:
     python sample_authentication.py
@@ -23,9 +24,13 @@
     1) TABLES_STORAGE_ENDPOINT_SUFFIX - the Table service account URL suffix
     2) TABLES_STORAGE_ACCOUNT_NAME - the name of the storage account
     3) TABLES_PRIMARY_STORAGE_ACCOUNT_KEY - the storage account access key
+    The following environment variables are required for using azure-identity's DefaultAzureCredential.
+    For more information, please refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential
+    4) AZURE_TENANT_ID - the tenant ID in Azure Active Directory
+    5) AZURE_CLIENT_ID - the application (client) ID registered in the AAD tenant
+    6) AZURE_CLIENT_SECRET - the client secret for the registered application
 """
 
-from datetime import datetime, timedelta
 import os
 from dotenv import find_dotenv, load_dotenv
 
@@ -40,39 +45,36 @@ def __init__(self):
         self.connection_string = f"DefaultEndpointsProtocol=https;AccountName={self.account_name};AccountKey={self.access_key};EndpointSuffix={self.endpoint_suffix}"
 
     def authentication_by_connection_string(self):
-        # Instantiate a TableServiceClient using a connection string
+        print("Instantiate a TableServiceClient using a connection string")
         # [START auth_from_connection_string]
         from azure.data.tables import TableServiceClient
 
-        with TableServiceClient.from_connection_string(conn_str=self.connection_string) as table_service:
-            properties = table_service.get_service_properties()
-            print(f"Connection String: {properties}")
+        with TableServiceClient.from_connection_string(conn_str=self.connection_string) as table_service_client:
+            properties = table_service_client.get_service_properties()
+            print(f"{properties}")
         # [END auth_from_connection_string]
 
     def authentication_by_shared_key(self):
-        # Instantiate a TableServiceClient using a shared access key
+        print("Instantiate a TableServiceClient using a shared access key")
         # [START auth_from_shared_key]
         from azure.data.tables import TableServiceClient
         from azure.core.credentials import AzureNamedKeyCredential
 
         credential = AzureNamedKeyCredential(self.account_name, self.access_key)
-        with TableServiceClient(endpoint=self.endpoint, credential=credential) as table_service:
-            properties = table_service.get_service_properties()
-            print(f"Shared Key: {properties}")
+        with TableServiceClient(endpoint=self.endpoint, credential=credential) as table_service_client:
+            properties = table_service_client.get_service_properties()
+            print(f"{properties}")
         # [END auth_from_shared_key]
 
     def authentication_by_shared_access_signature(self):
-        # Instantiate a TableServiceClient using a shared access signature
-
+        print("Instantiate a TableServiceClient using a shared access signature")
         # [START auth_from_sas]
-        from azure.data.tables import TableServiceClient
+        from datetime import datetime, timedelta
+        from azure.data.tables import TableServiceClient, generate_account_sas, ResourceTypes, AccountSasPermissions
         from azure.core.credentials import AzureNamedKeyCredential, AzureSasCredential
 
-        # Create a SAS token to use for authentication of a client
-        from azure.data.tables import generate_account_sas, ResourceTypes, AccountSasPermissions
-
-        print(f"Account name: {self.account_name}")
         credential = AzureNamedKeyCredential(self.account_name, self.access_key)
+        # Create a SAS token to use for authentication of a client
         sas_token = generate_account_sas(
             credential,
             resource_types=ResourceTypes(service=True),
@@ -82,14 +84,26 @@ def authentication_by_shared_access_signature(self):
 
         with TableServiceClient(
             endpoint=self.endpoint, credential=AzureSasCredential(sas_token)
-        ) as token_auth_table_service:
-            properties = token_auth_table_service.get_service_properties()
-            print(f"Shared Access Signature: {properties}")
+        ) as table_service_client:
+            properties = table_service_client.get_service_properties()
+            print(f"{properties}")
         # [END auth_from_sas]
 
+    def authentication_by_AAD(self):
+        print("Instantiate a TableServiceClient using a TokenCredential")
+        # [START auth_from_aad]
+        from azure.data.tables import TableServiceClient
+        from azure.identity import DefaultAzureCredential
+
+        with TableServiceClient(endpoint=self.endpoint, credential=DefaultAzureCredential()) as table_service_client:
+            properties = table_service_client.get_service_properties()
+            print(f"{properties}")
+        # [END auth_from_aad]
+
 
 if __name__ == "__main__":
     sample = TableAuthSamples()
     sample.authentication_by_connection_string()
     sample.authentication_by_shared_key()
     sample.authentication_by_shared_access_signature()
+    sample.authentication_by_AAD()
