Product Documentation

Appearance

7.1.2
7.0.2
6.9.3
5.4.17
5.2.31

Azure Authentication Methods

There are several different ways to authenticate when you are using ybload to load data from Azure Blob storage. You can authenticate implicitly by using supported Azure-identity methods, such as service principals, or you can authenticate explicitly by using ybload command-line options. You can use the Azure CLI (az login) command or the Azure web portal to create and manage user accounts, service principals, and so on.

Your organization's Azure administrator should provide instructions for the mechanism you should use. For more details about creating and managing Azure accounts, see the Microsoft Azure documentation.

Order of Precedence for Authentication Methods

You may have multiple credential settings available to you, based on your Azure account setup and how you script the ybload command. Therefore it is important to know which authentication mechanism takes precedence when the ybload command is run. Note that credentials set with ybload object storage options, if set (on the command line or in a properties file), always take precedence over implicit Azure account credentials.

The order of precedence is as follows:

  1. Access key or SAS token specified with the ybload --object-store-credential command-line option
  2. Access key or SAS token specified with the yb.file. prefix in one of the following:
  3. URI parameter
  4. Properties file named with the --object-store-provider-config command-line option
  5. Access key or SAS token specified without the yb.file. prefix in one of the following:
  6. URI parameter
  7. Properties file named with the --object-store-provider-config command-line option
  8. Implicit authentication, using one of the following Azure-identity methods:

  • Service principal environment variables

  • Managed identity credential (for use on Azure VMs)

  • Shared Token Cache Credential (provided by authentication to Azure with Visual Studio 2019)

    Note: This mechanism is disabled by default for ybload. To enable this type of credential, specify the name of a Java properties file with the --object-store-provider-config option. In the file, include the following entry:

    allowSharedTokenCacheCredential = true

  • Azure CLI credentials (authentication via az login)

Azure Role Assignments

An Azure account that you intend to use for authentication when loading data from an Azure blob must have the following role assignments:

  • Reader
  • Storage Blob Data Reader

These are the minimum role assignments required by ybload operations. Your Azure user accounts may be configured with assignments that exceed these requirements.

Azure Environment Variables

ybload operations from Azure Blob storage support the following environment variables. You can set these variables and reference them when you are using a service principal account for authentication:

  • AZURE_CLIENT_ID: the application ID for a service principal
  • AZURE_CLIENT_SECRET: the secret key for a service principal
  • AZURE_TENANT_ID: the Azure Active Directory (AD) tenant for a service principal

Parent topic:Loading from Azure Blob Storage