MicrosoftDocs
diff --git a/‎articles/storage/blobs/media/storage-quickstart-blobs-python/storage-account-name.png
41.3 KB b/‎articles/storage/blobs/media/storage-quickstart-blobs-python/storage-account-name.png
41.3 KB
diff --git a/‎articles/storage/blobs/storage-quickstart-blobs-python.md
Lines changed: 149 additions & 43 deletions b/‎articles/storage/blobs/storage-quickstart-blobs-python.md
Lines changed: 149 additions & 43 deletions
@@ -1,9 +1,9 @@
 ---
-title: 'Quickstart: Azure Blob Storage library v12 - Python'
-description: In this quickstart, you learn how to use the Azure Blob Storage client library version 12 for Python to create a container and a blob in Blob (object) storage. Next, you learn how to download the blob to your local computer, and how to list all of the blobs in a container.
+title: 'Quickstart: Azure Blob Storage client library for Python'
+description: In this quickstart, you learn how to use the Azure Blob Storage client library for Python to create a container and a blob in Blob (object) storage. Next, you learn how to download the blob to your local computer, and how to list all of the blobs in a container.
 author: pauljewellmsft
 ms.author: pauljewell
-ms.date: 09/26/2022
+ms.date: 10/20/2022
 ms.topic: quickstart
 ms.service: storage
 ms.subservice: blobs
@@ -13,56 +13,52 @@ ms.custom: devx-track-python, mode-api
 
 # Quickstart: Azure Blob Storage client library for Python
 
-Get started with the Azure Blob Storage client library for Python to manage blobs and containers. Follow steps to install the package and try out example code for basic tasks.
+Get started with the Azure Blob Storage client library for Python to manage blobs and containers. Follow steps to install the package and try out example code for basic tasks in an interactive console app.
 
 [API reference documentation](/python/api/azure-storage-blob) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-blob) | [Package (PyPi)](https://pypi.org/project/azure-storage-blob/) | [Samples](../common/storage-samples-python.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#blob-samples)
 
 ## Prerequisites
 
-- An Azure account with an active subscription - [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
-- An Azure Storage account - [create a storage account](../common/storage-account-create.md).
-- [Python](https://www.python.org/downloads/) 2.7 or 3.6+.
+- Azure account with an active subscription - [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio)
+- Azure Storage account - [create a storage account](../common/storage-account-create.md)
+- [Python](https://www.python.org/downloads/) 3.6+
 
 ## Setting up
 
-This section walks you through preparing a project to work with the Azure Blob Storage client library v12 for Python.
+This section walks you through preparing a project to work with the Azure Blob Storage client library for Python.
 
 ### Create the project
 
-Create a Python application named *blob-quickstart-v12*.
+Create a Python application named *blob-quickstart*.
 
-1. In a console window (such as PowerShell, cmd, or bash), create a new directory for the project.
+1. In a console window (such as PowerShell or Bash), create a new directory for the project:
 
     ```console
-    mkdir blob-quickstart-v12
+    mkdir blob-quickstart
     ```
 
-1. Switch to the newly created *blob-quickstart-v12* directory.
+1. Switch to the newly created *blob-quickstart* directory:
 
     ```console
-    cd blob-quickstart-v12
+    cd blob-quickstart
     ```
 
-### Install the package
+### Install the packages
 
-From the project directory, install the Azure Blob Storage client library for Python package by using the `pip install` command.
+From the project directory, install packages for the Azure Blob Storage and Azure Identity client libraries using the `pip install` command. The **azure-identity** package is needed for passwordless connections to Azure services.
 
 ```console
-pip install azure-storage-blob
+pip install azure-storage-blob azure-identity
 ```
 
-This command installs the Azure Blob Storage for Python package and  libraries on which it depends. In this case, the only dependency is the Azure core library for Python.
-
 ### Set up the app framework
 
 From the project directory, follow steps to create the basic structure of the app:
 
-1. Open a new text file in your code editor
-1. Add `import` statements, create the structure for the program, and include basic exception handling, as shown below
-1. Save the new file as *blob-quickstart-v12.py* in the *blob-quickstart-v12* directory.
-:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/V12/app_framework.py":::
-
-[!INCLUDE [storage-quickstart-credentials-include](../../../includes/storage-quickstart-credentials-include.md)]
+1. Open a new text file in your code editor.
+1. Add `import` statements, create the structure for the program, and include basic exception handling, as shown below.
+1. Save the new file as *blob-quickstart.py* in the *blob-quickstart* directory.
+:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/app-framework-qs.py":::
 
 ## Object model
 
@@ -86,20 +82,130 @@ Use the following Python classes to interact with these resources:
 
 These example code snippets show you how to do the following tasks with the Azure Blob Storage client library for Python:
 
-- [Get the connection string](#get-the-connection-string-for-authentication)
+- [Authenticate the client](#authenticate-the-client)
 - [Create a container](#create-a-container)
 - [Upload blobs to a container](#upload-blobs-to-a-container)
 - [List the blobs in a container](#list-the-blobs-in-a-container)
 - [Download blobs](#download-blobs)
 - [Delete a container](#delete-a-container)
 
-### Get the connection string for authentication
+### Authenticate the client
+
+Application requests to Azure Blob Storage must be authorized. Using the `DefaultAzureCredential` class provided by the Azure Identity client library is the recommended approach for implementing passwordless connections to Azure services in your code, including Blob Storage.
+
+You can also authorize requests to Azure Blob Storage by using the account access key. However, this approach should be used with caution. Developers must be diligent to never expose the access key in an unsecure location. Anyone who has the access key is able to authorize requests against the storage account, and effectively has access to all the data. `DefaultAzureCredential` offers improved management and security benefits over the account key to allow passwordless authentication. Both options are demonstrated in the following example.
+
+### [Passwordless (Recommended)](#tab/managed-identity)
+
+`DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.
+
+The order and locations in which `DefaultAzureCredential` looks for credentials can be found in the [Azure Identity library overview](/python/api/overview/azure/identity-readme#defaultazurecredential).
+
+For example, your app can authenticate using your Azure CLI sign-in credentials with when developing locally. Your app can then use a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview) once it has been deployed to Azure. No code changes are required for this transition.
+
+#### Assign roles to your Azure AD user account
+
+[!INCLUDE [assign-roles](../../../includes/assign-roles.md)]
+
+#### Sign in and connect your app code to Azure using DefaultAzureCredential
+
+You can authorize access to data in your storage account using the following steps:
+
+1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell.
+
+    #### [Azure CLI](#tab/sign-in-azure-cli)
+
+    Sign-in to Azure through the Azure CLI using the following command:
+
+    ```azurecli
+    az login
+    ```
+
+    #### [Visual Studio Code](#tab/sign-in-visual-studio-code)
+
+    You'll need to [install the Azure CLI](/cli/azure/install-azure-cli) to work with `DefaultAzureCredential` through Visual Studio Code.
+
+    On the main menu of Visual Studio Code, navigate to **Terminal > New Terminal**.
+
+    Sign-in to Azure through the Azure CLI using the following command:
+
+    ```azurecli
+    az login
+    ```
+
+    #### [PowerShell](#tab/sign-in-powershell)
+
+    Sign-in to Azure using PowerShell via the following command:
+
+    ```azurepowershell
+    Connect-AzAccount
+    ```
 
-The code below retrieves the storage account connection string from the environment variable created in the [Configure your storage connection string](#configure-your-storage-connection-string) section.
+2. To use `DefaultAzureCredential`, make sure that the **azure-identity** package is [installed](#install-the-packages), and the class is imported:
+
+    ```python
+    from azure.identity import DefaultAzureCredential
+    ```
+
+3. Add this code inside the `try` block. When the code runs on your local workstation, `DefaultAzureCredential` uses the developer credentials of the prioritized tool you're logged into to authenticate to Azure. Examples of these tools include Azure CLI or Visual Studio Code.
+
+    :::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_CreateServiceClientDAC":::
+
+4. Make sure to update the storage account name in the URI of your `BlobServiceClient` object. The storage account name can be found on the overview page of the Azure portal.
+
+    :::image type="content" source="./media/storage-quickstart-blobs-python/storage-account-name.png" alt-text="A screenshot showing how to find the storage account name.":::
+
+    > [!NOTE]
+    > When deployed to Azure, this same code can be used to authorize requests to Azure Storage from an application running in Azure. However, you'll need to enable managed identity on your app in Azure. Then configure your storage account to allow that managed identity to connect. For detailed instructions on configuring this connection between Azure services, see the [Auth from Azure-hosted apps](/dotnet/azure/sdk/authentication-azure-hosted-apps) tutorial.
+
+### [Connection String](#tab/connection-string)
+
+A connection string includes the storage account access key and uses it to authorize requests. Always be careful to never expose the keys in an unsecure location.
+
+> [!NOTE]
+> If you plan to use connection strings, you'll need permissions for the following Azure RBAC action: [Microsoft.Storage/storageAccounts/listkeys/action](/azure/role-based-access-control/resource-provider-operations#microsoftstorage). The least privilege built-in role with permissions for this action is [Storage Account Key Operator Service Role](/azure/role-based-access-control/built-in-roles#storage-account-key-operator-service-role), but any role which includes this action will work.
+
+[!INCLUDE [retrieve credentials](../../../includes/retrieve-credentials.md)]
+
+#### Configure your storage connection string
+
+After you copy the connection string, write it to a new environment variable on the local machine running the application. To set the environment variable, open a console window, and follow the instructions for your operating system. Replace `<yourconnectionstring>` with your actual connection string.
+
+**Windows**:
+
+```cmd
+setx AZURE_STORAGE_CONNECTION_STRING "<yourconnectionstring>"
+```
+
+After you add the environment variable in Windows, you must start a new instance of the command window.
+
+**Linux**:
+
+```bash
+export AZURE_STORAGE_CONNECTION_STRING="<yourconnectionstring>"
+```
+
+The code below retrieves the connection string for the storage account from the environment variable created earlier, and uses the connection string to construct a service client object.
 
 Add this code inside the `try` block:
 
-:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/V12/blob-quickstart-v12.py" id="Snippet_ConnectionString":::
+```python
+# Retrieve the connection string for use with the application. The storage
+# connection string is stored in an environment variable on the machine
+# running the application called AZURE_STORAGE_CONNECTION_STRING. If the environment variable is
+# created after the application is launched in a console or with Visual Studio,
+# the shell or application needs to be closed and reloaded to take the
+# environment variable into account.
+connect_str = os.getenv('AZURE_STORAGE_CONNECTION_STRING')
+
+# Create the BlobServiceClient object
+blob_service_client = BlobServiceClient.from_connection_string(connect_str)
+```
+
+> [!IMPORTANT]
+> The account access key should be used with caution. If your account access key is lost or accidentally placed in an insecure location, your service may become vulnerable. Anyone who has the access key is able to authorize requests against the storage account, and effectively has access to all the data. `DefaultAzureCredential` provides enhanced security features and benefits and is the recommended approach for managing authorization to Azure services.
+
+---
 
 ### Create a container
 
@@ -108,11 +214,11 @@ Decide on a name for the new container. The code below appends a UUID value to t
 > [!IMPORTANT]
 > Container names must be lowercase. For more information about naming containers and blobs, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata).
 
-Create an instance of the [BlobServiceClient](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient) class by calling the [from_connection_string](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient#from-connection-string-conn-str--credential-none----kwargs-) method. Then, call the [create_container](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient#create-container-name--metadata-none--public-access-none----kwargs-) method to actually create the container in your storage account.
+Call the [create_container](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient#create-container-name--metadata-none--public-access-none----kwargs-) method to actually create the container in your storage account.
 
 Add this code to the end of the `try` block:
 
-:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/V12/blob-quickstart-v12.py" id="Snippet_CreateContainer":::
+:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_CreateContainer":::
 
 ### Upload blobs to a container
 
@@ -125,23 +231,23 @@ The following code snippet:
 
 Add this code to the end of the `try` block:
 
-:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/V12/blob-quickstart-v12.py" id="Snippet_UploadBlobs":::
+:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_UploadBlobs":::
 
 ### List the blobs in a container
 
 List the blobs in the container by calling the [list_blobs](/python/api/azure-storage-blob/azure.storage.blob.containerclient#list-blobs-name-starts-with-none--include-none----kwargs-) method. In this case, only one blob has been added to the container, so the listing operation returns just that one blob.
 
 Add this code to the end of the `try` block:
 
-:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/V12/blob-quickstart-v12.py" id="Snippet_ListBlobs":::
+:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_ListBlobs":::
 
 ### Download blobs
 
 Download the previously created blob by calling the [download_blob](/python/api/azure-storage-blob/azure.storage.blob.blobclient#download-blob-offset-none--length-none----kwargs-) method. The example code adds a suffix of "DOWNLOAD" to the file name so that you can see both files in local file system.
 
 Add this code to the end of the `try` block:
 
-:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/V12/blob-quickstart-v12.py" id="Snippet_DownloadBlobs":::
+:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_DownloadBlobs":::
 
 ### Delete a container
 
@@ -151,31 +257,31 @@ The app pauses for user input by calling `input()` before it deletes the blob, c
 
 Add this code to the end of the `try` block:
 
-:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/V12/blob-quickstart-v12.py" id="Snippet_CleanUp":::
+:::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_CleanUp":::
 
 ## Run the code
 
 This app creates a test file in your local folder and uploads it to Azure Blob Storage. The example then lists the blobs in the container, and downloads the file with a new name. You can compare the old and new files.
 
-Navigate to the directory containing the *blob-quickstart-v12.py* file, then execute the following `python` command to run the app.
+Navigate to the directory containing the *blob-quickstart.py* file, then execute the following `python` command to run the app:
 
 ```console
-python blob-quickstart-v12.py
+python blob-quickstart.py
 ```
 
-The output of the app is similar to the following example:
+The output of the app is similar to the following example (UUID values omitted for readability):
 
 ```output
-Azure Blob Storage v12 - Python quickstart sample
+Azure Blob Storage Python quickstart sample
 
 Uploading to Azure Storage as blob:
-        quickstartcf275796-2188-4057-b6fb-038352e35038.txt
+        quickstartUUID.txt
 
 Listing blobs...
-        quickstartcf275796-2188-4057-b6fb-038352e35038.txt
+        quickstartUUID.txt
 
 Downloading blob to
-        ./data/quickstartcf275796-2188-4057-b6fb-038352e35038DOWNLOAD.txt
+        ./data/quickstartUUIDDOWNLOAD.txt
 
 Press the Enter key to begin clean up
 
@@ -188,7 +294,7 @@ Before you begin the cleanup process, check your *data* folder for the two files
 
 ## Clean up resources
 
-After you've verified the files and finished testing, press the **Enter** key to delete the test files along with the container you created in the storage account.
+After you've verified the files and finished testing, press the **Enter** key to delete the test files along with the container you created in the storage account. You can also use [Azure CLI](storage-quickstart-blobs-cli.md#clean-up-resources) to delete resources.
 
 ## Next steps
 
@@ -197,7 +303,7 @@ In this quickstart, you learned how to upload, download, and list blobs using Py
 To see Blob storage sample apps, continue to:
 
 > [!div class="nextstepaction"]
-> [Azure Blob Storage SDK v12 Python samples](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-blob/samples)
+> [Azure Blob Storage library for Python samples](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-blob/samples)
 
 - To learn more, see the [Azure Storage client libraries for Python](/azure/developer/python/sdk/storage/overview).
 - For tutorials, samples, quickstarts, and other documentation, visit [Azure for Python Developers](/azure/python/).