Merge pull request #233553 from scottaddie/scottaddie/blob-storage-migration

v-regandowner · web-flow · commit 47275d64c263 · 2023-04-05T18:04:48.000-04:00
Add Java, Node.js, and Python guidance to Blob Storage migration guide
diff --git a/articles/storage/common/migrate-azure-credentials.md b/articles/storage/common/migrate-azure-credentials.md
@@ -5,17 +5,16 @@ description: Learn to migrate existing applications away from Shared Key authori
 author: alexwolfmsft
 ms.author: alexwolf
 ms.reviewer: randolphwest
-ms.date: 12/07/2022
+ms.date: 04/05/2023
 ms.service: storage
 ms.subservice: common
 ms.topic: how-to
 ms.custom: devx-track-csharp, passwordless-java, passwordless-js, passwordless-python, passwordless-dotnet, devx-track-azurecli, devx-track-azurepowershell
-ms.devlang: csharp
 ---
 
 # Migrate an application to use passwordless connections with Azure Storage
 
-Application requests to Azure Storage must be authenticated using either account access keys or passwordless connections. However, you should prioritize passwordless connections in your applications when possible. Traditional authentication methods that use passwords or secret keys create additional security risks and complications. Visit the [passwordless connections for Azure services](/azure/developer/intro/passwordless-overview) hub to learn more about the advantages of moving to passwordless connections.
+Application requests to Azure Storage must be authenticated using either account access keys or passwordless connections. However, you should prioritize passwordless connections in your applications when possible. Traditional authentication methods that use passwords or secret keys create security risks and complications. Visit the [passwordless connections for Azure services](/azure/developer/intro/passwordless-overview) hub to learn more about the advantages of moving to passwordless connections.
 
 The following tutorial explains how to migrate an existing application to connect to Azure Storage to use passwordless connections instead of a key-based solution. These same migration steps should apply whether you're using access keys directly, or through connection strings.
 
@@ -29,37 +28,115 @@ For local development, make sure you're authenticated with the same Azure AD acc
 
 [!INCLUDE [default-azure-credential-sign-in](../../../includes/passwordless/default-azure-credential-sign-in.md)]
 
-Next you need to update your code to use passwordless connections.
+Next, update your code to use passwordless connections.
 
 ## [.NET](#tab/dotnet)
 
-1. To use `DefaultAzureCredential` in a .NET application, add the **Azure.Identity** NuGet package to your application.
+1. To use `DefaultAzureCredential` in a .NET application, install the `Azure.Identity` package:
 
    ```dotnetcli
    dotnet add package Azure.Identity
    ```
 
-1. At the top of your `Program.cs` file, add the following `using` statement:
+1. At the top of your file, add the following code:
 
    ```csharp
    using Azure.Identity;
    ```
 
-1. Identify the locations in your code that currently create a `BlobServiceClient` to connect to Azure Storage. This task is often handled in `Program.cs`, potentially as part of your service registration with the .NET dependency injection container. Update your code to match the following example:
+1. Identify the locations in your code that create a `BlobServiceClient` to connect to Azure Storage. Update your code to match the following example:
 
    ```csharp
-   // TODO: Update <storage-account-name> placeholder to your account name
+   var credential = new DefaultAzureCredential();
+
+   // TODO: Update the <storage-account-name> placeholder.
    var blobServiceClient = new BlobServiceClient(
        new Uri("https://<storage-account-name>.blob.core.windows.net"),
-       new DefaultAzureCredential());
+       credential);
    ```
 
-1. Make sure to update the storage account name in the URI of your `BlobServiceClient`. You can find the storage account name on the overview page of the Azure portal.
+## [Java](#tab/java)
 
-   :::image type="content" source="../blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png" alt-text="Screenshot showing how to find the storage account name.":::
+1. To use `DefaultAzureCredential` in a Java application, install the `azure-identity` package via one of the following approaches:
+    1. [Include the BOM file](/java/api/overview/azure/identity-readme?view=azure-java-stable&preserve-view=true#include-the-bom-file).
+    1. [Include a direct dependency](/java/api/overview/azure/identity-readme?view=azure-java-stable&preserve-view=true#include-direct-dependency).
+
+1. At the top of your file, add the following code:
+
+    ```java
+    import com.azure.identity.DefaultAzureCredentialBuilder;
+    ```
+
+1. Identify the locations in your code that create a `BlobServiceClient` object to connect to Azure Storage. Update your code to match the following example:
+
+    ```java
+    DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
+        .build();
+
+    // TODO: Update the <storage-account-name> placeholder.
+    BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
+            .endpoint("https://<storage-account-name>.blob.core.windows.net")
+            .credential(credential)
+            .buildClient();
+    ```
+
+## [Node.js](#tab/nodejs)
+
+1. To use `DefaultAzureCredential` in a Node.js application, install the `@azure/identity` package:
+
+    ```bash
+    npm install --save @azure/identity
+    ```
+
+1. At the top of your file, add the following code:
+
+    ```nodejs
+    const { DefaultAzureCredential } = require("@azure/identity");
+    ```
+
+1. Identify the locations in your code that create a `BlobServiceClient` object to connect to Azure Storage. Update your code to match the following example:
+
+    ```nodejs
+    const credential = new DefaultAzureCredential();
+    
+    // TODO: Update the <storage-account-name> placeholder.
+    const blobServiceClient = new BlobServiceClient(
+      "https://<storage-account-name>.blob.core.windows.net",
+      credential
+    );    
+    ```
+
+## [Python](#tab/python)
 
+1. To use `DefaultAzureCredential` in a Python application, install the `azure-identity` package:
+    
+    ```bash
+    pip install azure-identity
+    ```
+
+1. At the top of your file, add the following code:
+
+    ```python
+    from azure.identity import DefaultAzureCredential
+    ```
+
+1. Identify the locations in your code that create a `BlobServiceClient` to connect to Azure Storage. Update your code to match the following example:
+
+    ```python
+    credential = DefaultAzureCredential()
+
+    # TODO: Update the <storage-account-name> placeholder.
+    blob_service_client = BlobServiceClient(
+        account_url = "https://<storage-account-name>.blob.core.windows.net",
+        credential = credential
+    )
+    ```
 ---
 
+4. Make sure to update the storage account name in the URI of your `BlobServiceClient`. You can find the storage account name on the overview page of the Azure portal.
+
+   :::image type="content" source="../blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png" alt-text="Screenshot showing how to find the storage account name.":::
+
 ### Run the app locally
 
 After making these code changes, run your application locally. The new configuration should pick up your local credentials, such as the Azure CLI, Visual Studio, or IntelliJ. The roles you assigned to your local dev user in Azure allows your app to connect to the Azure service locally.
@@ -83,7 +160,7 @@ Complete the following steps in the Azure portal to associate an identity with y
 * Azure Spring Apps
 * Azure Container Apps
 * Azure virtual machines
-* Azure Kubernetes Service.
+* Azure Kubernetes Service
 
 1. Navigate to the overview page of your web app.
 1. Select **Identity** from the left navigation.
@@ -155,27 +232,52 @@ If you connected your services using Service Connector you don't need to complet
 
 ### Update the application code
 
-You need to configure your application code to look for the specific managed identity you created when it is deployed to Azure. In some scenarios, explicitly setting the managed identity for the app also prevents other environment identities from accidentally being detected and used automatically.
-
-## [.NET](#tab/dotnet)
+You need to configure your application code to look for the specific managed identity you created when it's deployed to Azure. In some scenarios, explicitly setting the managed identity for the app also prevents other environment identities from accidentally being detected and used automatically.
 
 1. On the managed identity overview page, copy the client ID value to your clipboard.
-1. Update the `DefaultAzureCredential` object in the `Program.cs` file of your app to specify this managed identity client ID.
+1. Update the `DefaultAzureCredential` object to specify this managed identity client ID:
 
+    ## [.NET](#tab/dotnet)
+    
     ```csharp
-    // TODO: Update the <your-storage-account-name> and <your-managed-identity-client-id> placeholders
-    var blobServiceClient = new BlobServiceClient(
-                        new Uri("https://<your-storage-account-name>.blob.core.windows.net"),
-                        new DefaultAzureCredential(
-                            new DefaultAzureCredentialOptions() 
-                            { 
-                                ManagedIdentityClientId = "<your-managed-identity-client-id>" 
-                            }));
+    // TODO: Update the <managed-identity-client-id> placeholder.
+    var credential = new DefaultAzureCredential(
+        new DefaultAzureCredentialOptions
+        {
+            ManagedIdentityClientId = "<managed-identity-client-id>"
+        });
     ```
 
-3. Redeploy your code to Azure after making this change in order for the configuration updates to be applied.
+    ## [Java](#tab/java)
+    
+    ```java
+    // TODO: Update the <managed-identity-client-id> placeholder.
+    DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
+        .managedIdentityClientId("<managed-identity-client-id>")
+        .build();
+    ```
+    
+    ## [Node.js](#tab/nodejs)
+    
+    ```nodejs
+    // TODO: Update the <managed-identity-client-id> placeholder.
+    const credential = new DefaultAzureCredential({
+      managedIdentityClientId: "<managed-identity-client-id>"
+    });
+    ```
+    
+    ## [Python](#tab/python)
+    
+    ```python
+    # TODO: Update the <managed-identity-client-id> placeholder.
+    credential = DefaultAzureCredential(
+        managed_identity_client_id = "<managed-identity-client-id>"
+    )
+    ```
 
----
+    ---
+
+3. Redeploy your code to Azure after making this change in order for the configuration updates to be applied.
 
 ### Test the app
 
