mirror of https://github.com/restic/restic.git
Merge pull request #4799 from letmaik/letmaik/azure-force-cli-credential
Azure: add option to force use of CLI credential
This commit is contained in:
commit
9c5bac6f25
|
@ -0,0 +1,5 @@
|
|||
Enhancement: Add option to force use of Azure CLI credential
|
||||
|
||||
A new environment variable `AZURE_FORCE_CLI_CREDENTIAL=true` allows forcing the use of Azure CLI credential, ignoring other credentials like managed identity.
|
||||
|
||||
https://github.com/restic/restic/pull/4799
|
|
@ -550,17 +550,23 @@ For authentication export one of the following variables:
|
|||
# For SAS
|
||||
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
|
||||
|
||||
For authentication using ``az login`` set the resource group name and ensure the user has
|
||||
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC.
|
||||
For authentication using ``az login`` ensure the user has
|
||||
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC
|
||||
for the storage account.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ export AZURE_RESOURCE_GROUP=<RESOURCE_GROUP_NAME>
|
||||
$ az login
|
||||
|
||||
Alternatively, if run on Azure, restic will automatically uses service accounts configured
|
||||
Alternatively, if run on Azure, restic will automatically use service accounts configured
|
||||
via the standard environment variables or Workload / Managed Identities.
|
||||
|
||||
To enforce the use of the Azure CLI credential when other credentials are present, set the following environment variable:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ export AZURE_FORCE_CLI_CREDENTIAL=true
|
||||
|
||||
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
|
||||
You can specify other suffixes as follows:
|
||||
|
||||
|
|
|
@ -673,6 +673,7 @@ environment variables. The following lists these environment variables:
|
|||
AZURE_ACCOUNT_KEY Account key for Azure
|
||||
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
|
||||
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
|
||||
AZURE_FORCE_CLI_CREDENTIAL Force the use of Azure CLI credentials for authentication
|
||||
|
||||
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
|
||||
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2
|
||||
|
|
|
@ -102,10 +102,20 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
|
|||
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
|
||||
}
|
||||
} else {
|
||||
debug.Log(" - using DefaultAzureCredential")
|
||||
cred, err := azidentity.NewDefaultAzureCredential(nil)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "NewDefaultAzureCredential")
|
||||
var cred azcore.TokenCredential
|
||||
|
||||
if cfg.ForceCliCredential {
|
||||
debug.Log(" - using AzureCLICredential")
|
||||
cred, err = azidentity.NewAzureCLICredential(nil)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "NewAzureCLICredential")
|
||||
}
|
||||
} else {
|
||||
debug.Log(" - using DefaultAzureCredential")
|
||||
cred, err = azidentity.NewDefaultAzureCredential(nil)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "NewDefaultAzureCredential")
|
||||
}
|
||||
}
|
||||
|
||||
client, err = azContainer.NewClient(url, cred, opts)
|
||||
|
|
|
@ -3,6 +3,7 @@ package azure
|
|||
import (
|
||||
"os"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/restic/restic/internal/backend"
|
||||
|
@ -13,12 +14,13 @@ import (
|
|||
// Config contains all configuration necessary to connect to an azure compatible
|
||||
// server.
|
||||
type Config struct {
|
||||
AccountName string
|
||||
AccountSAS options.SecretString
|
||||
AccountKey options.SecretString
|
||||
EndpointSuffix string
|
||||
Container string
|
||||
Prefix string
|
||||
AccountName string
|
||||
AccountSAS options.SecretString
|
||||
AccountKey options.SecretString
|
||||
ForceCliCredential bool
|
||||
EndpointSuffix string
|
||||
Container string
|
||||
Prefix string
|
||||
|
||||
Connections uint `option:"connections" help:"set a limit for the number of concurrent connections (default: 5)"`
|
||||
}
|
||||
|
@ -73,6 +75,11 @@ func (cfg *Config) ApplyEnvironment(prefix string) {
|
|||
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
|
||||
}
|
||||
|
||||
var forceCliCred, err = strconv.ParseBool(os.Getenv(prefix + "AZURE_FORCE_CLI_CREDENTIAL"))
|
||||
if err == nil {
|
||||
cfg.ForceCliCredential = forceCliCred
|
||||
}
|
||||
|
||||
if cfg.EndpointSuffix == "" {
|
||||
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue