From 0b7b3cacdc62fd7d58b562642c11659bd39696b7 Mon Sep 17 00:00:00 2001 From: Nick Craig-Wood Date: Wed, 18 Sep 2024 17:31:51 +0100 Subject: [PATCH] azureblob: add --azureblob-use-az to force the use of the Azure CLI for auth Setting this can be useful if you wish to use the az CLI on a host with a System Managed Identity that you do not want to use. Fixes #8078 --- backend/azureblob/azureblob.go | 21 +++++++++++++++++++++ docs/content/azureblob.md | 10 ++++++++++ 2 files changed, 31 insertions(+) diff --git a/backend/azureblob/azureblob.go b/backend/azureblob/azureblob.go index 92adde376..c7e43ecb4 100644 --- a/backend/azureblob/azureblob.go +++ b/backend/azureblob/azureblob.go @@ -259,6 +259,20 @@ msi_client_id, or msi_mi_res_id parameters.`, Help: "Uses local storage emulator if provided as 'true'.\n\nLeave blank if using real azure storage endpoint.", Default: false, Advanced: true, + }, { + Name: "use_az", + Help: `Use Azure CLI tool az for authentication + +Set to use the [Azure CLI tool az](https://learn.microsoft.com/en-us/cli/azure/) +as the sole means of authentication. + +Setting this can be useful if you wish to use the az CLI on a host with +a System Managed Identity that you do not want to use. + +Don't set env_auth at the same time. +`, + Default: false, + Advanced: true, }, { Name: "endpoint", Help: "Endpoint for the service.\n\nLeave blank normally.", @@ -459,6 +473,7 @@ type Options struct { MSIObjectID string `config:"msi_object_id"` MSIClientID string `config:"msi_client_id"` MSIResourceID string `config:"msi_mi_res_id"` + UseAZ bool `config:"use_az"` Endpoint string `config:"endpoint"` ChunkSize fs.SizeSuffix `config:"chunk_size"` UploadConcurrency int `config:"upload_concurrency"` @@ -893,6 +908,12 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e if err != nil { return nil, fmt.Errorf("failed to acquire MSI token: %w", err) } + case opt.UseAZ: + var options = azidentity.AzureCLICredentialOptions{} + cred, err = azidentity.NewAzureCLICredential(&options) + if err != nil { + return nil, fmt.Errorf("failed to create Azure CLI credentials: %w", err) + } case opt.Account != "": // Anonymous access anonymous = true diff --git a/docs/content/azureblob.md b/docs/content/azureblob.md index 2c6d401b2..f95f1299a 100644 --- a/docs/content/azureblob.md +++ b/docs/content/azureblob.md @@ -297,6 +297,16 @@ be explicitly specified using exactly one of the `msi_object_id`, If none of `msi_object_id`, `msi_client_id`, or `msi_mi_res_id` is set, this is is equivalent to using `env_auth`. +#### Azure CLI tool `az` {#use_az} + +Set to use the [Azure CLI tool `az`](https://learn.microsoft.com/en-us/cli/azure/) +as the sole means of authentication. + +Setting this can be useful if you wish to use the `az` CLI on a host with +a System Managed Identity that you do not want to use. + +Don't set `env_auth` at the same time. + #### Anonymous {#anonymous} If you want to access resources with public anonymous access then set