Fix traced HttpResponseError for identity-based datastores

[Copilot]

get_datastore_info() unconditionally calls _list_secrets(), which raises HttpResponseError for identity-based datastores. While caught and handled, OpenTelemetry captures these exceptions as error traces in Application Insights.

Changes:

• Check credential type before calling _list_secrets() to avoid exception for identity-based datastores
• Add import for NoneCredentialConfiguration
• Preserve existing try/except fallback for credential-based datastores

Before:

try:
    credential = operations._list_secrets(name=name, expirable_secret=True)
    datastore_info["credential"] = credential.sas_token
except HttpResponseError:  # Always raised for identity-based auth, captured by tracing
    datastore_info["credential"] = operations._credential

After:

if isinstance(datastore.credentials, NoneCredentialConfiguration):
    datastore_info["credential"] = operations._credential  # No API call, no exception
else:
    try:
        credential = operations._list_secrets(name=name, expirable_secret=True)
        datastore_info["credential"] = credential.sas_token
    except HttpResponseError:
        datastore_info["credential"] = operations._credential

Unit tests added for identity-based, SAS token, and account key credentials.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• pypi.org
  • Triggering command: /home/REDACTED/work/azure-sdk-for-python/azure-sdk-for-python/.venv/bin/pip pip install pytest-mock -q ests/finetuning_job/e2e_tests/test_maap_finetuning_job.py ests/finetuning_job/unittests/test_azure_openai_finetuning_job_schema.py ests/finetuning_job/unittests/test_finetuning_job_convesion.py ests/finetuning_job/unittests/test_custom_model_finetuning_job_schema.py ests/finetuning_job/conftest.py ests/environment/e2etests/test_environment.py ests/environment/unittests/test_env_entity.py ests/environment/unittests/test_environment_operations.py ests�� ests/environment/unittests/test_environment_operations_registry.py ests/model/e2etests/test_model.py (dns block)
• scanning-api.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>azure-ai-ml get_datastore_info() raises traced HttpResponseError for identity-based datastores</issue_title>
<issue_description>### what
When using download_artifact_from_aml_uri() with a datastore configured for identity-based access (no stored credentials), the SDK internally raises an HttpResponseError that gets caught and handled correctly, but the exception is still captured by OpenTelemetry tracing. This causes noisy error traces in Application Insights even though the operation succeeds.

To Reproduce

Configure an Azure ML datastore with identity-based access (no account key or SAS token stored)
Enable OpenTelemetry tracing (e.g., via azure-monitor-opentelemetry)
Download an artifact using download_artifact_from_aml_uri()

from azure.ai.ml import MLClient
import azure.ai.ml._artifacts._artifact_utilities as artifact_utils

ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)
artifact_utils.download_artifact_from_aml_uri(
    uri="azureml://subscriptions/.../datastores/mystore/paths/data.csv",
    destination="/tmp/output",
    datastore_operation=ml_client.datastores
)

Expected behavior

The download succeeds (which it does), but no exception should appear in traces since this is expected behavior for identity-based datastores.

Actual behavior

The download succeeds, but an exception trace is recorded:

azure.core.exceptions.HttpResponseError: (UserError) No secrets for credentials of type None.
Code: UserError
Message: No secrets for credentials of type None.

Root cause

In _artifact_utilities.py, get_datastore_info() uses a try/except pattern:

try:
    credential = operations._list_secrets(name=name, expirable_secret=True)
    datastore_info["credential"] = credential.sas_token
except HttpResponseError:
    datastore_info["credential"] = operations._credential

Maybe consider one of:

• Check datastore.credentials type before calling _list_secrets() to avoid the exception entirely
• Return an empty/null credential from _list_secrets() instead of raising for identity-based datastores

Environment

azure-ai-ml version: 1.30.0
Python version: 3.12
OS: Linux (Azure Container Apps)
Tracing: azure-monitor-opentelemetry</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes azure-ai-ml get_datastore_info() raises traced HttpResponseError for identity-based datastores #44636

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Copilot wasn't able to review any files in this pull request.

[happywhaler]

hey @mohammadsheraj thanks for picking this up! will copilot get back to complete this PR? 😇

[mohammadsheraj]

hey @mohammadsheraj thanks for picking this up! will copilot get back to complete this PR? 😇

Adding the current DRI @PratibhaShrivastav18

[happywhaler]

so close 😢

[mohammadsheraj]

Sorry I did not mean to close the issue. Reopened.

[happywhaler]

look almost there. thank you for pushing this :) sorry for nagging