From 20b55723db42796a8c0c4e38723a2cf13fa07fac Mon Sep 17 00:00:00 2001 From: oz mizrahi <191957879+ozmizrahiMicrosoft@users.noreply.github.com> Date: Thu, 15 Jan 2026 10:47:48 +0200 Subject: [PATCH 1/3] V2 authentication Updates --- .../management/data-ingestion/list-blobs.md | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/data-explorer/kusto/management/data-ingestion/list-blobs.md b/data-explorer/kusto/management/data-ingestion/list-blobs.md index fe7139feec..757b28ce27 100644 --- a/data-explorer/kusto/management/data-ingestion/list-blobs.md +++ b/data-explorer/kusto/management/data-ingestion/list-blobs.md @@ -43,23 +43,11 @@ You must have at least [Table Ingestor](../../access-control/role-based-access-c > * We recommend using [obfuscated string literals](../../query/scalar-data-types/string.md#obfuscated-string-literals) for *SourceDataLocators* to scrub credentials in internal traces and error messages. > > * When used alone, `.list blob` returns up to 1,000 files, regardless of any larger value specified in *MaxFiles*. +> +> * The primary use of `.list blobs` is for queued ingestion which is done asynchronously with no user context. Therefore, [Impersonation](../../api/connection-strings/storage-connection-strings.md#impersonation) isn't supported. [!INCLUDE [ingestion-properties](../../includes/ingestion-properties.md)] -## Authentication and authorization - -Each storage connection string indicates the authorization method to use for access to the storage. Depending on the authorization method, the principal might need to be granted permissions on the external storage to perform the ingestion. - -The following table lists the supported authentication methods and the permissions needed for ingesting data from external storage. - -|Authentication method|Azure Blob Storage / Data Lake Storage Gen2|Data Lake Storage Gen1| -|--|--|--| -|[Shared Access (SAS) token](../../api/connection-strings/storage-connection-strings.md#shared-access-sas-token)|List + Read|This authentication method isn't supported in Gen1.| -|[Storage account access key](../../api/connection-strings/storage-connection-strings.md#storage-account-access-key)||This authentication method isn't supported in Gen1.| -|[Managed identity](../../api/connection-strings/storage-connection-strings.md#managed-identity)|Storage Blob Data Reader|Reader| - -The primary use of `.list blobs` is for queued ingestion which is done asynchronously with no user context. Therefore, [Impersonation](../../api/connection-strings/storage-connection-strings.md#impersonation) isn't supported. - ### Path format The *PathFormat* parameter allows you to specify the format of the creation time for listed blobs. It consists of a sequence of text separators and partition elements. A partition element refers to a partition that is declared in the partition `by` clause, and the text separator is any text enclosed in quotes. Consecutive partition elements must be set apart using the text separator. From 5d9258891e64aa715d732851048086625b120aa2 Mon Sep 17 00:00:00 2001 From: oz mizrahi <191957879+ozmizrahiMicrosoft@users.noreply.github.com> Date: Thu, 15 Jan 2026 11:16:04 +0200 Subject: [PATCH 2/3] Update queued ingestion documentation for HTTP Clarified requirements for queued ingestion and added details about blob URL accessibility. --- .../kusto/management/data-ingestion/queued-ingest-use-http.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/data-explorer/kusto/management/data-ingestion/queued-ingest-use-http.md b/data-explorer/kusto/management/data-ingestion/queued-ingest-use-http.md index d120e4709e..88a40d1ca2 100644 --- a/data-explorer/kusto/management/data-ingestion/queued-ingest-use-http.md +++ b/data-explorer/kusto/management/data-ingestion/queued-ingest-use-http.md @@ -16,7 +16,6 @@ To use the REST API for queued ingestion, you need: - **Ingestor** role with **table** scope to ingest data into an existing table. - **Database User** role to access the target database. -- **Storage Blob Data Reader** role on the blob storage container. For more information, see [Role-based access control](../../access-control/role-based-access-control.md). @@ -50,7 +49,7 @@ Each item in the `blobs` array must follow this structure: |Field|Type|Required|Description| |--|--|--|--| -|`url`|`string`| :heavy_check_mark: | The URL of the blob to ingest. The service performs light validation on this field.| +|`url`|`string`| :heavy_check_mark: | The URL of the blob to ingest. The service performs light validation on this field. The URL must be accessible by the service. For non-public blobs, include authentication information as part of the URL (for example, SAS token). See [storage connection strings](../../api/connection-strings/storage-connection-strings.md) for details| |`sourceId`|`Guid`|No|An identifier for the source blob.| |`rawSize`|`integer`|No|The size of the blob before compression (nullable).| From 1a6e3788d73dae89a6dffc0b6a3eea9671a329d0 Mon Sep 17 00:00:00 2001 From: oz mizrahi <191957879+ozmizrahiMicrosoft@users.noreply.github.com> Date: Thu, 15 Jan 2026 11:25:34 +0200 Subject: [PATCH 3/3] Update ingest-from-storage-queued.md --- .../management/data-ingestion/ingest-from-storage-queued.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data-explorer/kusto/management/data-ingestion/ingest-from-storage-queued.md b/data-explorer/kusto/management/data-ingestion/ingest-from-storage-queued.md index b6ff4ba2fa..168f6f3f93 100644 --- a/data-explorer/kusto/management/data-ingestion/ingest-from-storage-queued.md +++ b/data-explorer/kusto/management/data-ingestion/ingest-from-storage-queued.md @@ -77,7 +77,7 @@ with ( ``` >[!NOTE] -> Make sure to include a SAS token or use a managed identity to grant the service permission to access and download the blob. +> Make sure to include a SAS token or use a managed identity to grant the service permission to access and download the blob. See [storage connection strings](../../api/connection-strings/storage-connection-strings.md) for details. ### Ingest all blobs in a folder