Azure: Add new az_tenant_id, client_id and client_secret configs (

#157) Re-implement the flags with signed-off. Signed-off-by: DylanGuedes <[email protected]> Co-authored-by: Joao Marcal <[email protected]>
thanos-io · Jan 15, 2025 · a54d0f0 · a54d0f0
1 parent ed170e9
commit a54d0f0
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
 ## Unreleased
 - [#38](https://github.com/thanos-io/objstore/pull/38) GCS: Upgrade cloud.google.com/go/storage version to `v1.43.0`.
 - [#145](https://github.com/thanos-io/objstore/pull/145) Include content length in the response of Get and GetRange.
+- [#157](https://github.com/thanos-io/objstore/pull/157) Azure: Add `az_tenant_id`, `client_id` and `client_secret` configs.
 
 ### Fixed
 - [#153](https://github.com/thanos-io/objstore/pull/153) Metrics: Fix `objstore_bucket_operation_duration_seconds_*` for `get` and `get_range` operations.

diff --git a/providers/azure/azure.go b/providers/azure/azure.go
@@ -46,6 +46,9 @@ var DefaultConfig = Config{
 
 // Config Azure storage configuration.
 type Config struct {
+	AzTenantID              string             `yaml:"az_tenant_id"`
+	ClientID                string             `yaml:"client_id"`
+	ClientSecret            string             `yaml:"client_secret"`
 	StorageAccountName      string             `yaml:"storage_account"`
 	StorageAccountKey       string             `yaml:"storage_account_key"`
 	StorageConnectionString string             `yaml:"storage_connection_string"`
@@ -84,6 +87,14 @@ func (conf *Config) validate() error {
 		errMsg = append(errMsg, "user_assigned_id cannot be set when using storage_connection_string authentication")
 	}
 
+	if conf.UserAssignedID != "" && conf.ClientID != "" {
+		errMsg = append(errMsg, "user_assigned_id cannot be set when using client_id authentication")
+	}
+
+	if (conf.AzTenantID != "" || conf.ClientSecret != "" || conf.ClientID != "") && (conf.AzTenantID == "" || conf.ClientSecret == "" || conf.ClientID == "") {
+		errMsg = append(errMsg, "az_tenant_id, client_id, and client_secret must be set together")
+	}
+
 	if conf.StorageAccountKey != "" && conf.StorageConnectionString != "" {
 		errMsg = append(errMsg, "storage_account_key and storage_connection_string cannot both be set")
 	}

diff --git a/providers/azure/azure_test.go b/providers/azure/azure_test.go
@@ -140,6 +140,27 @@ container: "MyContainer"`),
 storage_account_key: ""
 user_assigned_id: "1234-56578678-655"
 storage_connection_string: "myConnectionString"
+container: "MyContainer"`),
+		wantFailParse:    false,
+		wantFailValidate: true,
+	},
+	{
+		name: "Valid AzTenantID, ClientID, ClientSecret",
+		config: []byte(`storage_account: "myAccount"
+storage_account_key: ""
+az_tenant_id: "1234-56578678-655"
+client_id: "1234-56578678-655"
+client_secret: "1234-56578678-655"
+container: "MyContainer"`),
+		wantFailParse:    false,
+		wantFailValidate: false,
+	},
+	{
+		name: "Valid ClientID and ClientSecret but missing AzTenantID",
+		config: []byte(`storage_account: "myAccount"
+storage_account_key: ""
+client_id: "1234-56578678-655"
+client_secret: "1234-56578678-655"
 container: "MyContainer"`),
 		wantFailParse:    false,
 		wantFailValidate: true,

diff --git a/providers/azure/helpers.go b/providers/azure/helpers.go
@@ -71,17 +71,7 @@ func getContainerClient(conf Config, wrapRoundtripper func(http.RoundTripper) ht
 	}
 
 	// Otherwise use a token credential
-	var cred azcore.TokenCredential
-
-	// Use Managed Identity Credential if a user assigned ID is set
-	if conf.UserAssignedID != "" {
-		msiOpt := &azidentity.ManagedIdentityCredentialOptions{}
-		msiOpt.ID = azidentity.ClientID(conf.UserAssignedID)
-		cred, err = azidentity.NewManagedIdentityCredential(msiOpt)
-	} else {
-		// Otherwise use Default Azure Credential
-		cred, err = azidentity.NewDefaultAzureCredential(nil)
-	}
+	cred, err := getTokenCredential(conf)
 
 	if err != nil {
 		return nil, err
@@ -94,3 +84,17 @@ func getContainerClient(conf Config, wrapRoundtripper func(http.RoundTripper) ht
 
 	return containerClient, nil
 }
+
+func getTokenCredential(conf Config) (azcore.TokenCredential, error) {
+	if conf.ClientSecret != "" && conf.AzTenantID != "" && conf.ClientID != "" {
+		return azidentity.NewClientSecretCredential(conf.AzTenantID, conf.ClientID, conf.ClientSecret, &azidentity.ClientSecretCredentialOptions{})
+	}
+
+	if conf.UserAssignedID == "" {
+		return azidentity.NewDefaultAzureCredential(nil)
+	}
+
+	msiOpt := &azidentity.ManagedIdentityCredentialOptions{}
+	msiOpt.ID = azidentity.ClientID(conf.UserAssignedID)
+	return azidentity.NewManagedIdentityCredential(msiOpt)
+}