Support for Secret-less Azure Managed Identity in Python Delta-Sharing Client

[moderakh]

Add Support for Azure Managed Identity in Python Delta-Sharing Client.

sample share profile file for managed-identity:

{
  "endpoint" : "http://example.com",
  "shareCredentialsVersion": 2,
  "type": "experimental_managed_identity"
}

Note to reviewer please read bellow:

What is Azure Managed Identity?

Azure Managed Identity allows applications running on Azure compute resources (e.g., Azure Virtual Machines) to access Azure services without the need for managing credentials explicitly. The identity is automatically provisioned by Azure infrastructure, eliminating the need for hardcoded secrets.

To obtain an access token, the application can call a specific internal endpoint available only within the Azure VM environment:

GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token": "eyJ0eXAi...",
  "refresh_token": "",
  "expires_in": "3599",
  "expires_on": "1506484173",
  "not_before": "1506480273",
  "resource": "https://management.azure.com/",
  "token_type": "Bearer"
}

This token can then be used by the client to authenticate against Azure services and if delta-sharing server supports accepting this token delta-sharing client can authenticate against the server.

For more details, refer to the official Azure documentation.

How this code is constructed

The code is constructed by following a similar pattern established for the OAuth client credential flow. It subclasses AuthCredentialProvider to implement the managed-identity auth provider.

Future Work

• Other Cloud Providers: Support for managed identities in AWS, GCP.