azure: add SAS authentication option

This commit is contained in:
Roger Gammans 2022-03-05 18:16:13 +00:00 committed by Michael Eischer
parent 6cbeb4a9f9
commit 64a7ec5341
6 changed files with 55 additions and 4 deletions

View file

@ -0,0 +1,14 @@
Enhancement: Allow use of SAS token to authenticate to Azure
Previously restic only supported AccountKeys to authenticate to Azure
storage accounts, which necessitates giving a significant amount of
access.
We added support for Azure SAS tokens which are a more fine-grained
and time-limited manner of granting access. Set the `AZURE_ACCOUNT_NAME`
and `AZURE_ACCOUNT_SAS` environment variables to use a SAS token for
authentication. Note that if `AZURE_ACCOUNT_KEY` is set, it will take
preference.
https://github.com/restic/restic/issues/2295
https://github.com/restic/restic/pull/3661

View file

@ -596,6 +596,10 @@ func parseConfig(loc location.Location, opts options.Options) (interface{}, erro
cfg.AccountKey = options.NewSecretString(os.Getenv("AZURE_ACCOUNT_KEY"))
}
if cfg.AccountSAS.String() == "" {
cfg.AccountSAS = options.NewSecretString(os.Getenv("AZURE_ACCOUNT_SAS"))
}
if err := opts.Apply(loc.Scheme, &cfg); err != nil {
return nil, err
}

View file

@ -499,6 +499,17 @@ account name and key as follows:
$ export AZURE_ACCOUNT_NAME=<ACCOUNT_NAME>
$ export AZURE_ACCOUNT_KEY=<SECRET_KEY>
or
.. code-block:: console
$ export AZURE_ACCOUNT_NAME=<ACCOUNT_NAME>
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
With the later form, ensure your ``SAS_TOKEN`` does not start with a leading
``?``. If the generated token starts with a leading ``?`` it is safe to just
delete the first character (the ``?``) before use.
Afterwards you can initialize a repository in a container called ``foo`` in the
root path like this:

View file

@ -593,6 +593,7 @@ environment variables. The following lists these environment variables:
AZURE_ACCOUNT_NAME Account name for Azure
AZURE_ACCOUNT_KEY Account key for Azure
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
GOOGLE_PROJECT_ID Project ID for Google Cloud Storage
GOOGLE_APPLICATION_CREDENTIALS Application Credentials for Google Cloud Storage (e.g. $HOME/.config/gs-secret-restic-key.json)

View file

@ -4,6 +4,7 @@ import (
"context"
"crypto/md5"
"encoding/base64"
"fmt"
"hash"
"io"
"net/http"
@ -39,10 +40,29 @@ var _ restic.Backend = &Backend{}
func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
debug.Log("open, config %#v", cfg)
client, err := storage.NewBasicClient(cfg.AccountName, cfg.AccountKey.Unwrap())
if err != nil {
return nil, errors.Wrap(err, "NewBasicClient")
var client storage.Client
var err error
if cfg.AccountKey.String() != "" {
// We have an account key value, find the BlobServiceClient
// from with a BasicClient
debug.Log(" - using account key")
client, err = storage.NewBasicClient(cfg.AccountName, cfg.AccountKey.Unwrap())
if err != nil {
return nil, errors.Wrap(err, "NewBasicClient")
}
} else if cfg.AccountSAS.String() != "" {
// Get the client using the SAS Token as authentication, this
// is longer winded than above because the SDK wants a URL for the Account
// if your using a SAS token, and not just the account name
// we (as per the SDK ) assume the default Azure portal.
url := fmt.Sprintf("https://%s.blob.core.windows.net/", cfg.AccountName)
debug.Log(" - using sas token")
client, err = storage.NewAccountSASClientFromEndpointToken(url, cfg.AccountSAS.Unwrap())
if err != nil {
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
}
} else {
return nil, errors.New("no azure authentication information found")
}
client.HTTPClient = &http.Client{Transport: rt}

View file

@ -12,6 +12,7 @@ import (
// server.
type Config struct {
AccountName string
AccountSAS options.SecretString
AccountKey options.SecretString
Container string
Prefix string