Add support for Azure Workload Identity authentication

thanos-io · Nov 10, 2023 · 2085269 · 2085269
1 parent 044aa8c
commit 2085269
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/providers/azure/helpers.go b/providers/azure/helpers.go
@@ -6,14 +6,12 @@ package azure
 import (
 	"fmt"
 	"net/http"
-	"os"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
-	"github.com/pkg/errors"
 
 	"github.com/thanos-io/objstore/exthttp"
 )
@@ -65,17 +63,29 @@ func getContainerClient(conf Config) (*container.Client, error) {
 		return containerClient, nil
 	}
 
-	// Use MSI for authentication.
+	// Otherwise use a token credential
+
+	// Managed Identity Credential if a user assigned ID is set
+	msiOpt := &azidentity.ManagedIdentityCredentialOptions{}
 	if conf.UserAssignedID != "" {
-		if err := os.Setenv("AZURE_CLIENT_ID", conf.UserAssignedID); err != nil {
-			return nil, errors.Wrapf(err, "unable to set environment variable for AZURE_CLIENT_ID")
+		msiOpt.ID = azidentity.ClientID(conf.UserAssignedID)
+		mic, err := azidentity.NewManagedIdentityCredential(msiOpt)
+		if err != nil {
+			return nil, err
+		}
+		containerClient, err := container.NewClient(containerURL, mic, opt)
+		if err != nil {
+			return nil, err
 		}
+		return containerClient, nil
 	}
-	cred, err := azidentity.NewDefaultAzureCredential(nil)
+
+	// Workload Identity Credential
+	wic, err := azidentity.NewWorkloadIdentityCredential(nil)
 	if err != nil {
 		return nil, err
 	}
-	containerClient, err := container.NewClient(containerURL, cred, opt)
+	containerClient, err := container.NewClient(containerURL, wic, opt)
 	if err != nil {
 		return nil, err
 	}