forked from TrueCloudLab/restic
Merge pull request #4879 from restic/backport-azure-cli-option
Backport azure cli option
This commit is contained in:
commit
ca04a88e65
5 changed files with 48 additions and 11 deletions
5
changelog/unreleased/pull-4799
Normal file
5
changelog/unreleased/pull-4799
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
Enhancement: Add option to force use of Azure CLI credential
|
||||||
|
|
||||||
|
A new environment variable `AZURE_FORCE_CLI_CREDENTIAL=true` allows forcing the use of Azure CLI credential, ignoring other credentials like managed identity.
|
||||||
|
|
||||||
|
https://github.com/restic/restic/pull/4799
|
|
@ -548,9 +548,23 @@ For authentication export one of the following variables:
|
||||||
# For SAS
|
# For SAS
|
||||||
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
|
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
|
||||||
|
|
||||||
Alternatively, if run on Azure, restic will automatically uses service accounts configured
|
For authentication using ``az login`` ensure the user has
|
||||||
|
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC
|
||||||
|
for the storage account.
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ az login
|
||||||
|
|
||||||
|
Alternatively, if run on Azure, restic will automatically use service accounts configured
|
||||||
via the standard environment variables or Workload / Managed Identities.
|
via the standard environment variables or Workload / Managed Identities.
|
||||||
|
|
||||||
|
To enforce the use of the Azure CLI credential when other credentials are present, set the following environment variable:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ export AZURE_FORCE_CLI_CREDENTIAL=true
|
||||||
|
|
||||||
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
|
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
|
||||||
You can specify other suffixes as follows:
|
You can specify other suffixes as follows:
|
||||||
|
|
||||||
|
|
|
@ -597,6 +597,7 @@ environment variables. The following lists these environment variables:
|
||||||
AZURE_ACCOUNT_KEY Account key for Azure
|
AZURE_ACCOUNT_KEY Account key for Azure
|
||||||
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
|
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
|
||||||
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
|
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
|
||||||
|
AZURE_FORCE_CLI_CREDENTIAL Force the use of Azure CLI credentials for authentication
|
||||||
|
|
||||||
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
|
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
|
||||||
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2
|
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2
|
||||||
|
|
|
@ -101,12 +101,22 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
|
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
var cred azcore.TokenCredential
|
||||||
|
|
||||||
|
if cfg.ForceCliCredential {
|
||||||
|
debug.Log(" - using AzureCLICredential")
|
||||||
|
cred, err = azidentity.NewAzureCLICredential(nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "NewAzureCLICredential")
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
debug.Log(" - using DefaultAzureCredential")
|
debug.Log(" - using DefaultAzureCredential")
|
||||||
cred, err := azidentity.NewDefaultAzureCredential(nil)
|
cred, err = azidentity.NewDefaultAzureCredential(nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "NewDefaultAzureCredential")
|
return nil, errors.Wrap(err, "NewDefaultAzureCredential")
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
client, err = azContainer.NewClient(url, cred, opts)
|
client, err = azContainer.NewClient(url, cred, opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -3,6 +3,7 @@ package azure
|
||||||
import (
|
import (
|
||||||
"os"
|
"os"
|
||||||
"path"
|
"path"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/restic/restic/internal/errors"
|
"github.com/restic/restic/internal/errors"
|
||||||
|
@ -16,6 +17,7 @@ type Config struct {
|
||||||
AccountName string
|
AccountName string
|
||||||
AccountSAS options.SecretString
|
AccountSAS options.SecretString
|
||||||
AccountKey options.SecretString
|
AccountKey options.SecretString
|
||||||
|
ForceCliCredential bool
|
||||||
EndpointSuffix string
|
EndpointSuffix string
|
||||||
Container string
|
Container string
|
||||||
Prefix string
|
Prefix string
|
||||||
|
@ -73,6 +75,11 @@ func (cfg *Config) ApplyEnvironment(prefix string) {
|
||||||
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
|
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var forceCliCred, err = strconv.ParseBool(os.Getenv(prefix + "AZURE_FORCE_CLI_CREDENTIAL"))
|
||||||
|
if err == nil {
|
||||||
|
cfg.ForceCliCredential = forceCliCred
|
||||||
|
}
|
||||||
|
|
||||||
if cfg.EndpointSuffix == "" {
|
if cfg.EndpointSuffix == "" {
|
||||||
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
|
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue