This is related to this fixed issue. Since GDAL 3.7.2 the vsiaz driver has supported authentication using Azure Active Directory Workload Identity (using AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE and AZURE_AUTHORITY_HOST environment variables). This support doesn't appear to exist in AzureSession, so az:// prefixed urls are not accessible via this method.

I have a draft fix here.

Expected behavior and actual behavior.

If I have AZURE_STORAGE_ACCOUNT, AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE & AZURE_AUTHORITY_HOST set, I should be able to access private files in blob storage with an az:// prefix, using e.g.

> rio info az://container/file.tif

This will result in access errors for private objects.

However,
> rio info /vsiaz/container/file.tif
produces output as expected.

Steps to reproduce the problem.

It is difficult to provide a reproducible script without providing the vars / path in question, but I
am open to suggestions.

Environment Information

rio --show-versions output

rasterio info:
rasterio: 1.4.3
GDAL: 3.9.3
PROJ: 9.4.1
GEOS: 3.11.1
PROJ DATA: /opt/bitnami/python/lib/python3.12/site-packages/rasterio/proj_data
GDAL DATA: /opt/bitnami/python/lib/python3.12/site-packages/rasterio/gdal_data

System:
python: 3.12.8 (main, Dec 4 2024, 00:26:17) [GCC 12.2.0]
executable: /opt/bitnami/python/bin/python
machine: Linux-5.15.0-1096-azure-x86_64-with-glibc2.36

Python deps:
affine: 2.4.0
attrs: 25.1.0
certifi: 2025.01.31
click: 8.1.8
cligj: 0.7.2
cython: None
numpy: 2.2.3
click-plugins: None
setuptools: 70.3.0

Installation Method

Using titiler-pgstac docker image at ghcr.io/stac-utils/titiler-pgstac, tag 1.7.1