Merge pull request #211614 from diberry/diberry/0916-storage-dev-guide-DAC

Blob Storage - JS - Dev Guide - passwordless auth

Author: v-dirichards

articles/storage/blobs/storage-blob-javascript-get-started.md

@@ -8,7 +8,7 @@ ms.author: pauljewell
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 07/06/2022
+ms.date: 09/19/2022
 
 ms.subservice: blobs
 ms.custom: template-how-to
@@ -44,7 +44,7 @@ The [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) o
 
 ## Set up your project
 
-1. Open a command prompt and change into your project folder:
+1. Open a command prompt and change into your project folder. Change `YOUR-DIRECTORY` to your folder name:
 
     ```bash
     cd YOUR-DIRECTORY
@@ -68,195 +68,90 @@ The [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) o
     npm install @azure/identity
     ```
 
-1. In your `index.js` file, add the package:
+## Authenticate to Azure with passwordless credential
 
-    ```javascript
-    const { BlobServiceClient, StorageSharedKeyCredential } = require('@azure/storage-blob');    
+Azure Active Directory (Azure AD) provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code. 
 
-    // optional but recommended - connect with managed identity (Azure AD)
-    const { DefaultAzureCredential } = require('@azure/identity');
-    ```
+### Set up identity access to the Azure cloud
+
+To connect to Azure without passwords, you need to set up an Azure identity or use an existing identity. Once the identity is set up, make sure to assign the appropriate roles to the identity. 
 
-## Connect with Azure AD
+To authorize passwordless access with Azure AD, you'll need to use an Azure credential. Which type of credential you need depends on where your application runs. Use this table as a guide.
 
-Azure Active Directory (Azure AD) provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This functionality allows you to develop code that doesn't require any secrets (keys or connection strings) stored in the code or environment. Managed identity requires [**setup**](assign-azure-role-data-access.md?tabs=portal) for any identities such as developer (personal) or cloud (hosting) environments. You need to complete the setup before using the code in this section. 
+|Environment|Method|
+|--|--|
+|Developer environment|[Visual Studio Code](/azure/developer/javascript/sdk/authentication/local-development-environment-developer-account?tabs=azure-portal%2Csign-in-vscode)|
+|Developer environment|[Service principal](../common/identity-library-acquire-token.md)|
+|Azure-hosted apps|[Azure-hosted apps setup](/azure/storage/blobs/authorize-managed-identity)|
+|On-premises|[On-premises app setup](/azure/storage/common/storage-auth-aad-app?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=dotnet)|
 
-After you complete the setup, your Storage resource needs to have one or more of the following roles assigned to the identity resource you plan to connect with:
+### Set up storage account roles
 
+Your storage resource needs to have one or more of the following [Azure RBAC](/azure/role-based-access-control/built-in-roles) roles assigned to the identity resource you plan to connect with. [Setup the Azure Storage roles](assign-azure-role-data-access.md?tabs=portal) for each identity you created in the previous step: Azure cloud, local development, on-premises. 
+
+After you complete the setup, each identity needs at least one of the appropriate roles: 
+    
 * A [data access](../common/authorize-data-access.md) role - such as: 
     * **Storage Blob Data Reader**
     * **Storage Blob Data Contributor**
 * A [resource](../common/authorization-resource-provider.md) role - such as:
     * **Reader** 
     * **Contributor**
 
-To authorize with Azure AD, you'll need to use an Azure credential. Which type of credential you need depends on where your application runs. Use this table as a guide.
-
-| Where the application runs | Security principal | Guidance |
-|--|--|---|
-| Local machine (developing and testing) | User identity or service principal | [Use the Azure Identity library to get an access token for authorization](../common/identity-library-acquire-token.md) | 
-| Azure | Managed identity | [Authorize access to blob data with managed identities for Azure resources](authorize-managed-identity.md) |
-| Servers or clients outside of Azure | Service principal | [Authorize access to blob or queue data from a native or web application](../common/storage-auth-aad-app.md?toc=/azure/storage/blobs/toc.json) |
-
-Create a [DefaultAzureCredential](/javascript/api/overview/azure/identity-readme#defaultazurecredential) instance. Use that object to create a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient).
-
-```javascript
-const { BlobServiceClient } = require('@azure/storage-blob');
-const { DefaultAzureCredential } = require('@azure/identity');
-require('dotenv').config()
-
-const accountName = process.env.AZURE_STORAGE_ACCOUNT_NAME;
-if (!accountName) throw Error('Azure Storage accountName not found');
 
-const blobServiceClient = new BlobServiceClient(
-  `https://${accountName}.blob.core.windows.net`,
-  new DefaultAzureCredential()
-);
+### Connect with passwordless authentication to Azure 
 
-async function main(){
+Once your Azure storage account identity roles and your local environment are set up, create a JavaScript file which includes the [``@azure/identity``](https://www.npmjs.com/package/@azure/identity) package. Using the `DefaultAzureCredential` class provided by the Azure.Identity client library is the recommended approach for implementing passwordless connections to Azure services in your code, including Blob Storage.
 
-  // this call requires Reader role on the identity
-  const serviceGetPropertiesResponse = await blobServiceClient.getProperties();
-  console.log(`${JSON.stringify(serviceGetPropertiesResponse)}`);
+Create a [DefaultAzureCredential](/javascript/api/overview/azure/identity-readme#defaultazurecredential) instance. Use that object to create a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient).
 
-}
+:::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/connect-with-default-azure-credential.js":::
 
-main()
-  .then(() => console.log(`done`))
-  .catch((ex) => console.log(`error: ${ex.message}`));
-```
+The `dotenv` package is used to read your storage account name from a `.env` file. This file should not be checked into source control. If you use a local service principal as part of your DefaultAzureCredential set up, any security information for that credential will also go into the `.env` file. 
 
 If you plan to deploy the application to servers and clients that run outside of Azure, you can obtain an OAuth token by using other classes in the [Azure Identity client library for JavaScript](/javascript/api/overview/azure/identity-readme) which derive from the [TokenCredential](/javascript/api/@azure/core-auth/tokencredential) class.
 
 ## Connect with an account name and key
 
 Create a [StorageSharedKeyCredential](/javascript/api/@azure/storage-blob/storagesharedkeycredential) by using the storage account name and account key. Then use the StorageSharedKeyCredential to initialize a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient).
 
-```javascript
-const { BlobServiceClient, StorageSharedKeyCredential } = require('@azure/storage-blob');
-require('dotenv').config()
-
-const accountName = process.env.AZURE_STORAGE_ACCOUNT_NAME;
-const accountKey = process.env.AZURE_STORAGE_ACCOUNT_KEY;
-if (!accountName) throw Error('Azure Storage accountName not found');
-if (!accountKey) throw Error('Azure Storage accountKey not found');
-
-const sharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);
-
-const blobServiceClient = new BlobServiceClient(
-  `https://${accountName}.blob.core.windows.net`,
-  sharedKeyCredential
-);
+:::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/connect-with-account-name-and-key.js":::
 
-async function main(){
-  const serviceGetPropertiesResponse = await blobServiceClient.getProperties();
-  console.log(`${JSON.stringify(serviceGetPropertiesResponse)}`);
-}
-
-main()
-  .then(() => console.log(`done`))
-  .catch((ex) => console.log(ex.message));
-```
+The `dotenv` package is used to read your storage account name and key from a `.env` file. This file should not be checked into source control. 
 
 For information about how to obtain account keys and best practice guidelines for properly managing and safeguarding your keys, see [Manage storage account access keys](../common/storage-account-keys-manage.md).
 
 ## Connect with a connection string
 
 Create a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) by using a connection string. 
 
-```javascript
-const { BlobServiceClient } = require('@azure/storage-blob');
-require('dotenv').config()
-
-const connString = process.env.AZURE_STORAGE_CONNECTION_STRING;
-if (!connString) throw Error('Azure Storage Connection string not found');
-
-const blobServiceClient = BlobServiceClient.fromConnectionString(connString);
+:::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/connect-with-connection-string.js":::
 
-async function main(){
-  const serviceGetPropertiesResponse = await blobServiceClient.getProperties();
-  console.log(`${JSON.stringify(serviceGetPropertiesResponse)}`);
-}
-
-main()
-  .then(() => console.log(`done`))
-  .catch((ex) => console.log(ex.message));
-```
+The `dotenv` package is used to read your storage account connection string from a `.env` file. This file should not be checked into source control. 
 
 For information about how to obtain account keys and best practice guidelines for properly managing and safeguarding your keys, see [Manage storage account access keys](../common/storage-account-keys-manage.md).
 
-## Object Authorization with a SAS token
+## Connect with a SAS token
 
 Create a Uri to your resource by using the blob service endpoint and SAS token. Then, create a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) with the Uri.
 
-```javascript
-const { BlobServiceClient } = require('@azure/storage-blob');
-require('dotenv').config()
-
-const accountName = process.env.AZURE_STORAGE_ACCOUNT_NAME;
-const sasToken = process.env.AZURE_STORAGE_SAS_TOKEN;
-if (!accountName) throw Error('Azure Storage accountName not found');
-if (!sasToken) throw Error('Azure Storage accountKey not found');
-
-const blobServiceUri = `https://${accountName}.blob.core.windows.net`;
-
-const blobServiceClient = new BlobServiceClient(
-  `${blobServiceUri}${sasToken}`,
-  null
-);
+:::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/connect-with-sas-token.js":::
 
-async function main(){
-  const serviceGetPropertiesResponse = await blobServiceClient.getProperties();
-  console.log(`${JSON.stringify(serviceGetPropertiesResponse)}`);
-}
-
-main()
-  .then(() => console.log(`done`))
-  .catch((ex) => console.log(`error: ${ex.message}`));
-```
+The `dotenv` package is used to read your storage account name and sas token from a `.env` file. This file should not be checked into source control.
 
 To generate and manage SAS tokens, see any of these articles:
 
 - [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json)
 
 - [Create a service SAS for a container or blob](sas-service-create.md)
 
-
-
-
 ## Connect anonymously
 
 If you explicitly enable anonymous access, then you can connect to Blob Storage without authorization for your request. You can create a new BlobServiceClient object for anonymous access by providing the Blob storage endpoint for the account. This requires you to know the account and container names. To learn how to enable anonymous access, see [Configure anonymous public read access for containers and blobs](anonymous-read-access-configure.md).
 
-```javascript
-const { BlobServiceClient, AnonymousCredential } = require('@azure/storage-blob');
-require('dotenv').config()
-
-const accountName = process.env.AZURE_STORAGE_ACCOUNT_NAME;
-if (!accountName) throw Error('Azure Storage accountName not found');
-
-const blobServiceUri = `https://${accountName}.blob.core.windows.net`;
-
-const blobServiceClient = new BlobServiceClient(
-  blobServiceUri,
-  new AnonymousCredential()
-);
-
-async function getContainerProperties(){
-
-  // Access level: 'container'
-  const containerName = `blob-storage-dev-guide-1`;
-
-  const containerClient = blobServiceClient.getContainerClient(containerName);
-  const containerProperties = await containerClient.getProperties();
-  console.log(JSON.stringify(containerProperties));
-
-}
+:::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/connect-with-anonymous-credential.js":::
 
-getContainerProperties()
-  .then(() => console.log(`done`))
-  .catch((ex) => console.log(`error: ${ex.message}`));
-```
+The `dotenv` package is used to read your storage account name from a `.env` file. This file should not be checked into source control.
 
 Each type of resource is represented by one or more associated JavaScript clients:
 
@@ -271,10 +166,12 @@ The following guides show you how to use each of these clients to build your app
 | Guide | Description |
 |--|---|
 | [Create a container](storage-blob-container-create-javascript.md) | Create containers. |
+| [Get container's URL](storage-blob-get-url-javascript.md) | Get URL of container. |
 | [Delete and restore containers](storage-blob-container-delete-javascript.md) | Delete containers, and if soft-delete is enabled, restore deleted containers.  |
 | [List containers](storage-blob-containers-list-javascript.md) | List containers in an account and the various options available to customize a listing. |
 | [Manage properties and metadata](storage-blob-container-properties-metadata-javascript.md) | Get and set properties and metadata for containers. |
 | [Upload blobs](storage-blob-upload-javascript.md) | Learn how to upload blobs by using strings, streams, file paths, and other methods. |
+| [Get blob's URL](storage-blob-get-url-javascript.md) | Get URL of blob. |
 | [Download blobs](storage-blob-download-javascript.md) | Download blobs by using strings, streams, and file paths. |
 | [Copy blobs](storage-blob-copy-javascript.md) | Copy a blob from one account to another account. |
 | [List blobs](storage-blobs-list-javascript.md) | List blobs in different ways. |