From d006e2a5463ea6d98b628ffceeb0081b9c183a62 Mon Sep 17 00:00:00 2001 From: Louie Larson Date: Wed, 14 May 2025 15:37:19 -0400 Subject: [PATCH 1/4] Generate SAS token instead of checking container access --- scripts/azureml-assets/CHANGELOG.md | 4 ++++ .../azureml-assets/azureml/assets/config.py | 20 +------------------ scripts/azureml-assets/setup.py | 2 +- 3 files changed, 6 insertions(+), 20 deletions(-) diff --git a/scripts/azureml-assets/CHANGELOG.md b/scripts/azureml-assets/CHANGELOG.md index 99394edf9c..f6f77f7504 100644 --- a/scripts/azureml-assets/CHANGELOG.md +++ b/scripts/azureml-assets/CHANGELOG.md @@ -1,6 +1,10 @@ ## 1.17.0 (Unreleased) ### 🚀 New Features +## 1.16.81 (2025-05-14) +### 🚀 New Features +- [#4172](https://github.com/Azure/azureml-assets/pull/4172) Generate SAS token instead of checking container access + ## 1.16.80 (2025-05-13) ### 🚀 New Features - [#4172](https://github.com/Azure/azureml-assets/pull/4172) Make asset validation work with new schema validation in ADO diff --git a/scripts/azureml-assets/azureml/assets/config.py b/scripts/azureml-assets/azureml/assets/config.py index b7f0ab2d94..d345901a7e 100644 --- a/scripts/azureml-assets/azureml/assets/config.py +++ b/scripts/azureml-assets/azureml/assets/config.py @@ -583,16 +583,7 @@ def get_uri(self, token_expiration: timedelta = timedelta(hours=1)) -> str: # If we fail pass through to the next approach pass - # Our second approach is to use the azure python SDK to view the properties - # of the container. If the container allows for anonymous access then we can - # return the URI "as-is". - # - # This approach is slower than the first approach, which is why we - # tried the simple HTTP request approach first. - # - # It also requires Azure Credentials to be configured which may or may - # not be present depending on the execution environment. If these credentials - # do not exist then fail gracefully, return the URI "as-is", and hope for the best. + # Generate a SAS token for the container and append it to the URI try: blob_service_client = BlobServiceClient( account_url=self._account_uri, @@ -600,18 +591,9 @@ def get_uri(self, token_expiration: timedelta = timedelta(hours=1)) -> str: process_timeout=AzureBlobstoreAssetPath.AZURE_CLI_PROCESS_LOGIN_TIMEOUT ) ) - container_client = blob_service_client.get_container_client(container=self._container_name) - # If the container allows for anonymous access then we can return the URI "as-is" - if container_client.get_container_properties().public_access is not None: - self._token = "" - return uri - - # Our final approach is to generate a SAS token for the container and append - # it to the URI start_time = datetime.now(timezone.utc) expiry_time = start_time + token_expiration - key = blob_service_client.get_user_delegation_key(start_time, expiry_time) self._token = generate_container_sas( diff --git a/scripts/azureml-assets/setup.py b/scripts/azureml-assets/setup.py index 41c9b06b09..790aaa6f71 100644 --- a/scripts/azureml-assets/setup.py +++ b/scripts/azureml-assets/setup.py @@ -7,7 +7,7 @@ setup( name="azureml-assets", - version="1.16.80", + version="1.16.81", description="Utilities for publishing assets to Azure Machine Learning system registries.", author="Microsoft Corp", packages=find_packages(), From d1303a7eaf8b4939c6b782ff36172d07846cda8b Mon Sep 17 00:00:00 2001 From: Louie Larson Date: Wed, 14 May 2025 15:38:11 -0400 Subject: [PATCH 2/4] Update CHANGELOG --- scripts/azureml-assets/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/azureml-assets/CHANGELOG.md b/scripts/azureml-assets/CHANGELOG.md index f6f77f7504..09d0d7bab1 100644 --- a/scripts/azureml-assets/CHANGELOG.md +++ b/scripts/azureml-assets/CHANGELOG.md @@ -3,7 +3,7 @@ ## 1.16.81 (2025-05-14) ### 🚀 New Features -- [#4172](https://github.com/Azure/azureml-assets/pull/4172) Generate SAS token instead of checking container access +- [#4184](https://github.com/Azure/azureml-assets/pull/4184) Generate SAS token instead of checking container access ## 1.16.80 (2025-05-13) ### 🚀 New Features From 7f4a99595a045d0313e330c3027000158cd765fc Mon Sep 17 00:00:00 2001 From: Louie Larson Date: Thu, 15 May 2025 08:27:00 -0400 Subject: [PATCH 3/4] Fix date --- scripts/azureml-assets/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/azureml-assets/CHANGELOG.md b/scripts/azureml-assets/CHANGELOG.md index 09d0d7bab1..b05c3f0a82 100644 --- a/scripts/azureml-assets/CHANGELOG.md +++ b/scripts/azureml-assets/CHANGELOG.md @@ -1,7 +1,7 @@ ## 1.17.0 (Unreleased) ### 🚀 New Features -## 1.16.81 (2025-05-14) +## 1.16.81 (2025-05-15) ### 🚀 New Features - [#4184](https://github.com/Azure/azureml-assets/pull/4184) Generate SAS token instead of checking container access From 0cc35d4b8aa22812c7cf3165380a23e9a20ce0c9 Mon Sep 17 00:00:00 2001 From: Louie Larson Date: Thu, 15 May 2025 11:10:26 -0400 Subject: [PATCH 4/4] Handle empty container paths --- scripts/azureml-assets/azureml/assets/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/azureml-assets/azureml/assets/config.py b/scripts/azureml-assets/azureml/assets/config.py index d345901a7e..c7b2557d74 100644 --- a/scripts/azureml-assets/azureml/assets/config.py +++ b/scripts/azureml-assets/azureml/assets/config.py @@ -639,11 +639,11 @@ def get_files(self, strip_container_prefix: bool = True) -> List[dict]: List[dict]: List of files and their sizes. Dicts have keys `name` and `size`. """ container_client = self.get_container_client() - container_prefix = self._container_path + "/" + container_prefix = self._container_path + "/" if self._container_path else None blobs = container_client.list_blobs(name_starts_with=container_prefix) # Remove prefix if desired - starting_pos = len(container_prefix) if strip_container_prefix else 0 + starting_pos = len(container_prefix) if container_prefix and strip_container_prefix else 0 blobs = [{'name': blob.name[starting_pos:], 'size': blob.size} for blob in blobs] return blobs