1
0
Fork 0
mirror of https://github.com/restic/restic.git synced 2025-01-03 13:45:20 +00:00

Azure: add option to force use of CLI credential

This commit is contained in:
Maik Riechert 2024-05-15 16:54:28 +00:00 committed by Michael Eischer
parent 814ef4901f
commit 834f08fe2d
5 changed files with 46 additions and 7 deletions

View file

@ -0,0 +1,5 @@
Enhancement: Add option to force use of Azure CLI credential
A new environment variable `AZURE_FORCE_CLI_CREDENTIAL=true` allows forcing the use of Azure CLI credential, ignoring other credentials like managed identity.
https://github.com/restic/restic/pull/4799

View file

@ -548,9 +548,23 @@ For authentication export one of the following variables:
# For SAS
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
Alternatively, if run on Azure, restic will automatically uses service accounts configured
For authentication using ``az login`` ensure the user has
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC
for the storage account.
.. code-block:: console
$ az login
Alternatively, if run on Azure, restic will automatically use service accounts configured
via the standard environment variables or Workload / Managed Identities.
To enforce the use of the Azure CLI credential when other credentials are present, set the following environment variable:
.. code-block:: console
$ export AZURE_FORCE_CLI_CREDENTIAL=true
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
You can specify other suffixes as follows:

View file

@ -597,6 +597,7 @@ environment variables. The following lists these environment variables:
AZURE_ACCOUNT_KEY Account key for Azure
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
AZURE_FORCE_CLI_CREDENTIAL Force the use of Azure CLI credentials for authentication
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2

View file

@ -101,6 +101,18 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
if err != nil {
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
}
} else if cfg.ForceCliCredential {
debug.Log(" - using AzureCLICredential")
cred, err := azidentity.NewAzureCLICredential(nil)
if err != nil {
return nil, errors.Wrap(err, "NewAzureCLICredential")
}
client, err = azContainer.NewClient(url, cred, opts)
if err != nil {
return nil, errors.Wrap(err, "NewClient")
}
} else {
debug.Log(" - using DefaultAzureCredential")
cred, err := azidentity.NewDefaultAzureCredential(nil)

View file

@ -3,6 +3,7 @@ package azure
import (
"os"
"path"
"strconv"
"strings"
"github.com/restic/restic/internal/errors"
@ -13,12 +14,13 @@ import (
// Config contains all configuration necessary to connect to an azure compatible
// server.
type Config struct {
AccountName string
AccountSAS options.SecretString
AccountKey options.SecretString
EndpointSuffix string
Container string
Prefix string
AccountName string
AccountSAS options.SecretString
AccountKey options.SecretString
ForceCliCredential bool
EndpointSuffix string
Container string
Prefix string
Connections uint `option:"connections" help:"set a limit for the number of concurrent connections (default: 5)"`
}
@ -73,6 +75,11 @@ func (cfg *Config) ApplyEnvironment(prefix string) {
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
}
var forceCliCred, err = strconv.ParseBool(os.Getenv(prefix + "AZURE_FORCE_CLI_CREDENTIAL"))
if err == nil {
cfg.ForceCliCredential = forceCliCred
}
if cfg.EndpointSuffix == "" {
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
}