mirror of
https://github.com/octoleo/restic.git
synced 2024-11-30 00:33:57 +00:00
Azure: add option to force use of CLI credential
This commit is contained in:
parent
814ef4901f
commit
834f08fe2d
5
changelog/unreleased/pull-4799
Normal file
5
changelog/unreleased/pull-4799
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
Enhancement: Add option to force use of Azure CLI credential
|
||||||
|
|
||||||
|
A new environment variable `AZURE_FORCE_CLI_CREDENTIAL=true` allows forcing the use of Azure CLI credential, ignoring other credentials like managed identity.
|
||||||
|
|
||||||
|
https://github.com/restic/restic/pull/4799
|
@ -548,9 +548,23 @@ For authentication export one of the following variables:
|
|||||||
# For SAS
|
# For SAS
|
||||||
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
|
$ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
|
||||||
|
|
||||||
Alternatively, if run on Azure, restic will automatically uses service accounts configured
|
For authentication using ``az login`` ensure the user has
|
||||||
|
the minimum permissions of the role assignment ``Storage Blob Data Contributor`` on Azure RBAC
|
||||||
|
for the storage account.
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ az login
|
||||||
|
|
||||||
|
Alternatively, if run on Azure, restic will automatically use service accounts configured
|
||||||
via the standard environment variables or Workload / Managed Identities.
|
via the standard environment variables or Workload / Managed Identities.
|
||||||
|
|
||||||
|
To enforce the use of the Azure CLI credential when other credentials are present, set the following environment variable:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ export AZURE_FORCE_CLI_CREDENTIAL=true
|
||||||
|
|
||||||
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
|
Restic will by default use Azure's global domain ``core.windows.net`` as endpoint suffix.
|
||||||
You can specify other suffixes as follows:
|
You can specify other suffixes as follows:
|
||||||
|
|
||||||
|
@ -597,6 +597,7 @@ environment variables. The following lists these environment variables:
|
|||||||
AZURE_ACCOUNT_KEY Account key for Azure
|
AZURE_ACCOUNT_KEY Account key for Azure
|
||||||
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
|
AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure
|
||||||
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
|
AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net)
|
||||||
|
AZURE_FORCE_CLI_CREDENTIAL Force the use of Azure CLI credentials for authentication
|
||||||
|
|
||||||
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
|
B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2
|
||||||
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2
|
B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2
|
||||||
|
@ -101,6 +101,18 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
|
return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
|
||||||
}
|
}
|
||||||
|
} else if cfg.ForceCliCredential {
|
||||||
|
debug.Log(" - using AzureCLICredential")
|
||||||
|
|
||||||
|
cred, err := azidentity.NewAzureCLICredential(nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "NewAzureCLICredential")
|
||||||
|
}
|
||||||
|
|
||||||
|
client, err = azContainer.NewClient(url, cred, opts)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "NewClient")
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
debug.Log(" - using DefaultAzureCredential")
|
debug.Log(" - using DefaultAzureCredential")
|
||||||
cred, err := azidentity.NewDefaultAzureCredential(nil)
|
cred, err := azidentity.NewDefaultAzureCredential(nil)
|
||||||
|
@ -3,6 +3,7 @@ package azure
|
|||||||
import (
|
import (
|
||||||
"os"
|
"os"
|
||||||
"path"
|
"path"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/restic/restic/internal/errors"
|
"github.com/restic/restic/internal/errors"
|
||||||
@ -13,12 +14,13 @@ import (
|
|||||||
// Config contains all configuration necessary to connect to an azure compatible
|
// Config contains all configuration necessary to connect to an azure compatible
|
||||||
// server.
|
// server.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
AccountName string
|
AccountName string
|
||||||
AccountSAS options.SecretString
|
AccountSAS options.SecretString
|
||||||
AccountKey options.SecretString
|
AccountKey options.SecretString
|
||||||
EndpointSuffix string
|
ForceCliCredential bool
|
||||||
Container string
|
EndpointSuffix string
|
||||||
Prefix string
|
Container string
|
||||||
|
Prefix string
|
||||||
|
|
||||||
Connections uint `option:"connections" help:"set a limit for the number of concurrent connections (default: 5)"`
|
Connections uint `option:"connections" help:"set a limit for the number of concurrent connections (default: 5)"`
|
||||||
}
|
}
|
||||||
@ -73,6 +75,11 @@ func (cfg *Config) ApplyEnvironment(prefix string) {
|
|||||||
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
|
cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var forceCliCred, err = strconv.ParseBool(os.Getenv(prefix + "AZURE_FORCE_CLI_CREDENTIAL"))
|
||||||
|
if err == nil {
|
||||||
|
cfg.ForceCliCredential = forceCliCred
|
||||||
|
}
|
||||||
|
|
||||||
if cfg.EndpointSuffix == "" {
|
if cfg.EndpointSuffix == "" {
|
||||||
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
|
cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user