Azure: add option to force use of CLI credential

This commit is contained in:
Maik Riechert 2024-05-15 16:54:28 +00:00 committed by Michael Eischer
parent 1dfe1b8732
commit 355f520936
5 changed files with 41 additions and 10 deletions

View file

@ -0,0 +1,5 @@
Enhancement: Add option to force use of Azure CLI credential
A new environment variable `AZURE_FORCE_CLI_CREDENTIAL=true` allows forcing the use of Azure CLI credential, ignoring other credentials like managed identity.
https://github.com/restic/restic/pull/4799

View file

@ -550,17 +550,23 @@ For authentication export one of the following variables:
# For SAS
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
For authentication using ``az login`` set the resource group name and ensure the user has
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC.
For authentication using ``az login`` ensure the user has
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC
for the storage account.
.. code-block:: console
$ export AZURE_RESOURCE_GROUP=<RESOURCE_GROUP_NAME>
$ az login
Alternatively, if run on Azure, restic will automatically uses service accounts configured
Alternatively, if run on Azure, restic will automatically use service accounts configured
via the standard environment variables or Workload / Managed Identities.
To enforce the use of the Azure CLI credential when other credentials are present, set the following environment variable:
.. code-block:: console
$ export AZURE_FORCE_CLI_CREDENTIAL=true
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
You can specify other suffixes as follows:

View file

@ -673,6 +673,7 @@ environment variables. The following lists these environment variables:
AZURE_ACCOUNT_KEY Account key for Azure
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
AZURE_FORCE_CLI_CREDENTIAL Force the use of Azure CLI credentials for authentication
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2

View file

@ -101,6 +101,18 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
if err != nil {
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
}
} else if cfg.ForceCliCredential {
debug.Log(" - using AzureCLICredential")
cred, err := azidentity.NewAzureCLICredential(nil)
if err != nil {
return nil, errors.Wrap(err, "NewAzureCLICredential")
}
client, err = azContainer.NewClient(url, cred, opts)
if err != nil {
return nil, errors.Wrap(err, "NewClient")
}
} else {
debug.Log(" - using DefaultAzureCredential")
cred, err := azidentity.NewDefaultAzureCredential(nil)

View file

@ -3,6 +3,7 @@ package azure
import (
"os"
"path"
"strconv"
"strings"
"github.com/restic/restic/internal/backend"
@ -13,12 +14,13 @@ import (
// Config contains all configuration necessary to connect to an azure compatible
// server.
type Config struct {
AccountName string
AccountSAS options.SecretString
AccountKey options.SecretString
EndpointSuffix string
Container string
Prefix string
AccountName string
AccountSAS options.SecretString
AccountKey options.SecretString
ForceCliCredential bool
EndpointSuffix string
Container string
Prefix string
Connections uint `option:"connections" help:"set a limit for the number of concurrent connections (default: 5)"`
}
@ -73,6 +75,11 @@ func (cfg *Config) ApplyEnvironment(prefix string) {
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
}
var forceCliCred, err = strconv.ParseBool(os.Getenv(prefix + "AZURE_FORCE_CLI_CREDENTIAL"))
if err == nil {
cfg.ForceCliCredential = forceCliCred
}
if cfg.EndpointSuffix == "" {
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
}