You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Current connector is not supporting managed identity or MSI when using the TransientStorage export option (only SAS or account keys are supported).
This is a problem since MS SFI guidelines requiring to disable access keys and use MSI instead.
using ";impersonate" in the SAS property let me use the system assigned managed identity to write the exported files into my storage account, but the reading from it is failing since there is no authentication key provided with the read request from the storage account.
Describe the solution you'd like
remove the SAS and access key property validation, let the user provide credentials, if nothing is being provided, use the default credentials with the ";impersonate" method to read and export from kusto and the same credentials to read the exported files from the provided storage account.
for example:
Since Kusto is supporting this kind of authentication, using the ";impersonate" keyword to pass the requestor's token or ";managed_identity=" to use a separate managed identity, the solution should use those in some way.
As described here
Describe alternatives you've considered
using User Delegated SAS Token with validity of up to 1hr is compliant with SFI requirements, but it is making the users code much more complex.
In Addition, supplying the ";impersonate" in the sas property didn't fully work.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Current connector is not supporting managed identity or MSI when using the TransientStorage export option (only SAS or account keys are supported).
This is a problem since MS SFI guidelines requiring to disable access keys and use MSI instead.
using ";impersonate" in the SAS property let me use the system assigned managed identity to write the exported files into my storage account, but the reading from it is failing since there is no authentication key provided with the read request from the storage account.
Describe the solution you'd like
remove the SAS and access key property validation, let the user provide credentials, if nothing is being provided, use the default credentials with the ";impersonate" method to read and export from kusto and the same credentials to read the exported files from the provided storage account.
for example:
transientStorage = "{ \"storageCredentials\" : [ { \ \"storageAccountName\": \"1jdldsdke2etestcluster01\",\ \"blobContainer\": \"20221225-exportresults-0\",\ } ],"endpointSuffix" : "core.windows.net" }" ... option("transientStorage", transientStorage). \Since Kusto is supporting this kind of authentication, using the ";impersonate" keyword to pass the requestor's token or ";managed_identity=" to use a separate managed identity, the solution should use those in some way.
As described here
Describe alternatives you've considered
using User Delegated SAS Token with validity of up to 1hr is compliant with SFI requirements, but it is making the users code much more complex.
In Addition, supplying the ";impersonate" in the sas property didn't fully work.
The text was updated successfully, but these errors were encountered: