add OAuth, fix metadata endpoint auth

jpicht · Mar 11, 2022 · cab6436 · cab6436
1 parent c916027
commit cab6436
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -35,6 +35,10 @@ Currently authentication will always be automatically derived from the environme
 Supported methods (are tried in this order):
 1. connection string `AZURE_STORAGE_CONNECTION_STRING`
 1. shared key via `AZURE_STORAGE_ACCOUNT_NAME` and `AZURE_STORAGE_ACCOUNT_KEY`
+1. OAuth via `AZURE_TENANT_ID`, `AZURE_CLIENT_ID` and
+  1. `AZURE_CLIENT_SECRET` or
+  1. `AZURE_CLIENT_CERTIFICATE_PATH` or
+  2. `AZURE_USERNAME` and `AZURE_PASSWORD`
 1. metadata service `169.254.169.254`
 
 ## Installation

diff --git a/pkg/auth/auto.go b/pkg/auth/auto.go
@@ -31,6 +31,11 @@ func AuthFromEnv() *ClientCreator {
 		return c
 	}
 
+	if c := AuthFromEnvOAuth(); c != nil {
+		log.Debug("got client via oauth service")
+		return c
+	}
+
 	if c := AuthFromMetadata(); c != nil {
 		log.Debug("got client via metadata service")
 		return c
@@ -44,14 +49,17 @@ func AuthFromEnvSharedKey() *ClientCreator {
 	log.Debug("trying AZURE_STORAGE_ACCOUNT_NAME + AZURE_STORAGE_ACCOUNT_KEY")
 	accountName, ok := os.LookupEnv("AZURE_STORAGE_ACCOUNT_NAME")
 	if !ok {
+		log.Debug("missing environment variable AZURE_STORAGE_ACCOUNT_NAME")
 		return nil
 	}
 	accountKey, ok := os.LookupEnv("AZURE_STORAGE_ACCOUNT_KEY")
 	if !ok {
+		log.Debug("missing environment variable AZURE_STORAGE_ACCOUNT_KEY")
 		return nil
 	}
 	credential, err := azblob.NewSharedKeyCredential(accountName, accountKey)
 	if err != nil {
+		log.WithError(err).Debug("NewSharedKeyCredential failed")
 		return nil
 	}
 
@@ -67,6 +75,7 @@ func AuthFromEnvConnectionString() *ClientCreator {
 
 	connectionString, ok := os.LookupEnv("AZURE_STORAGE_CONNECTION_STRING")
 	if !ok {
+		log.Debug("missing environment variable AZURE_STORAGE_CONNECTION_STRING")
 		return nil
 	}
 
@@ -77,10 +86,27 @@ func AuthFromEnvConnectionString() *ClientCreator {
 	}
 }
 
+func AuthFromEnvOAuth() *ClientCreator {
+	log.Debug("trying to get identity via OAuth")
+
+	credential, err := azidentity.NewEnvironmentCredential(&azidentity.EnvironmentCredentialOptions{})
+
+	if err != nil {
+		log.WithError(err).Debug("oauth failed")
+		return nil
+	}
+
+	return &ClientCreator{
+		func(serviceUrl string) (azblob.ServiceClient, error) {
+			return azblob.NewServiceClient(serviceUrl, credential, &azblob.ClientOptions{})
+		},
+	}
+}
+
 func AuthFromMetadata() *ClientCreator {
 	log.Debug("trying to get identity via metadata service")
 
-	credential, err := azidentity.NewEnvironmentCredential(&azidentity.EnvironmentCredentialOptions{})
+	credential, err := azidentity.NewManagedIdentityCredential(nil)
 
 	if err != nil {
 		log.WithError(err).Debug("metadata failed")