Filesystems

redun supports reading and writing to various filesystems, including local, S3, GCS, and Azure Blob Storage.

The filesystem to be used is determined by the protocol in the file URL provided to redun.file constructor. In most cases, users don’t need to interact with Filesystem objects directly.

Azure Blob Storage filesystem

This filesystem is considered experimental - please read the documentation carefully before using it.

Usage

If you use redun.File or Dir, initialize it with az path: az://container@accountname.blob.core.windows.net/path/to/file. Other paths format (like HTTPS blob URI) are not supported.

Thread safety

By design, fsspec operations are not stateless, and there are potential issues with thread safety:

  • listings cache (dircache) - for results of ls-like commands. glob calls likely don’t affect the cache, unlike listdir which we don’t call currently, so all redun calls like Dir.files() are safe

  • file access (see https://filesystem-spec.readthedocs.io/en/latest/features.html#file-buffering-and-random-access) - users should assume IO file operations are unsafe and avoid reads/writes to the same file from multiple redun tasks running on the same executor. Redun gets around this issue by forcing recreation of the fsspec file system objects and restarting the async loop. There still may be thread safety issues, so beware.

Credentials lookup

For most cases, Azure SDKs should work without any issues with the default credentials, and that’s what adlfs (fsspec implementation for Azure storage) does when not prompted otherwise.

Note that it wasn’t tested on Azure Batch nodes, but DefaultClientCredential is expected to work inside any Azure compute with properly configured managed identity.

However, inside AzureML compute that uses on-behalf-of authentication, DefaultClientCredential will not work. There is a special credential class that works, but works only in synchronous mode. adlfs works with both sync and async credential classes, but it assumes custom credential classes are async. We do a small hack in the code to assign credential class to a correct class property.

Currently use a simple try-catch to determine if we can retrieve auth token from DefaultAzureCredential and use AML credential as fallback option if AML env variables are set (AZUREML_WORKSPACE_ID). If both options fail, we also check if DEFAULT_IDENTITY_CLIENT_ID variable is set - in AzureML, it holds the client id of the cluster’s managed identity. If it is, we try to create ManagedIdentityCredential with it.