Merge pull request #4879 from restic/backport-azure-cli-option

Backport azure cli option
This commit is contained in:
Michael Eischer 2024-06-26 21:07:16 +02:00 committed by GitHub
commit ca04a88e65
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 48 additions and 11 deletions

View file

@ -0,0 +1,5 @@
Enhancement: Add option to force use of Azure CLI credential
A new environment variable `AZURE_FORCE_CLI_CREDENTIAL=true` allows forcing the use of Azure CLI credential, ignoring other credentials like managed identity.
https://github.com/restic/restic/pull/4799

View file

@ -548,9 +548,23 @@ For authentication export one of the following variables:
# For SAS # For SAS
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN> $ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
Alternatively, if run on Azure, restic will automatically uses service accounts configured For authentication using ``az login`` ensure the user has
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC
for the storage account.
.. code-block:: console
$ az login
Alternatively, if run on Azure, restic will automatically use service accounts configured
via the standard environment variables or Workload / Managed Identities. via the standard environment variables or Workload / Managed Identities.
To enforce the use of the Azure CLI credential when other credentials are present, set the following environment variable:
.. code-block:: console
$ export AZURE_FORCE_CLI_CREDENTIAL=true
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix. Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
You can specify other suffixes as follows: You can specify other suffixes as follows:

View file

@ -597,6 +597,7 @@ environment variables. The following lists these environment variables:
AZURE_ACCOUNT_KEY Account key for Azure AZURE_ACCOUNT_KEY Account key for Azure
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net) AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
AZURE_FORCE_CLI_CREDENTIAL Force the use of Azure CLI credentials for authentication
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2 B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2 B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2

View file

@ -101,12 +101,22 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
if err != nil { if err != nil {
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken") return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
} }
} else {
var cred azcore.TokenCredential
if cfg.ForceCliCredential {
debug.Log(" - using AzureCLICredential")
cred, err = azidentity.NewAzureCLICredential(nil)
if err != nil {
return nil, errors.Wrap(err, "NewAzureCLICredential")
}
} else { } else {
debug.Log(" - using DefaultAzureCredential") debug.Log(" - using DefaultAzureCredential")
cred, err := azidentity.NewDefaultAzureCredential(nil) cred, err = azidentity.NewDefaultAzureCredential(nil)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "NewDefaultAzureCredential") return nil, errors.Wrap(err, "NewDefaultAzureCredential")
} }
}
client, err = azContainer.NewClient(url, cred, opts) client, err = azContainer.NewClient(url, cred, opts)
if err != nil { if err != nil {

View file

@ -3,6 +3,7 @@ package azure
import ( import (
"os" "os"
"path" "path"
"strconv"
"strings" "strings"
"github.com/restic/restic/internal/errors" "github.com/restic/restic/internal/errors"
@ -16,6 +17,7 @@ type Config struct {
AccountName string AccountName string
AccountSAS options.SecretString AccountSAS options.SecretString
AccountKey options.SecretString AccountKey options.SecretString
ForceCliCredential bool
EndpointSuffix string EndpointSuffix string
Container string Container string
Prefix string Prefix string
@ -73,6 +75,11 @@ func (cfg *Config) ApplyEnvironment(prefix string) {
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS")) cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
} }
var forceCliCred, err = strconv.ParseBool(os.Getenv(prefix + "AZURE_FORCE_CLI_CREDENTIAL"))
if err == nil {
cfg.ForceCliCredential = forceCliCred
}
if cfg.EndpointSuffix == "" { if cfg.EndpointSuffix == "" {
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX") cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
} }