feat: support Azure ClientSecretCredential authentication (#4477)

* feat: support Azure ClientSecretCredential

* fix: consistent naming and descriptions for Azure client sercet values

* fix: ordering of azure storage options

Author: tylerkrop

cmd/pyroscope/help-all.txt.tmpl

@@ -917,6 +917,12 @@ Usage of ./pyroscope:
     	Azure storage account key. If unset, Azure managed identities will be used for authentication instead.
   -storage.azure.account-name string
     	Azure storage account name
+  -storage.azure.az-tenant-id string
+    	Azure Active Directory tenant ID. If set alongside `client-id` and `client-secret`, these values will be used for authentication via a client secret credential.
+  -storage.azure.client-id string
+    	Azure Active Directory client ID. If set alongside `az-tenant-id` and `client-secret`, these values will be used for authentication via a client secret credential.
+  -storage.azure.client-secret string
+    	Azure Active Directory client secret. If set alongside `az-tenant-id` and `client-id`, these values will be used for authentication via a client secret credential.
   -storage.azure.connection-string string
     	If `connection-string` is set, the value of `endpoint-suffix` will not be used. Use this method over `account-key` if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
   -storage.azure.container-name string

cmd/pyroscope/help.txt.tmpl

@@ -313,6 +313,12 @@ Usage of ./pyroscope:
     	Azure storage account key. If unset, Azure managed identities will be used for authentication instead.
   -storage.azure.account-name string
     	Azure storage account name
+  -storage.azure.az-tenant-id string
+    	Azure Active Directory tenant ID. If set alongside `client-id` and `client-secret`, these values will be used for authentication via a client secret credential.
+  -storage.azure.client-id string
+    	Azure Active Directory client ID. If set alongside `az-tenant-id` and `client-secret`, these values will be used for authentication via a client secret credential.
+  -storage.azure.client-secret string
+    	Azure Active Directory client secret. If set alongside `az-tenant-id` and `client-id`, these values will be used for authentication via a client secret credential.
   -storage.azure.connection-string string
     	If `connection-string` is set, the value of `endpoint-suffix` will not be used. Use this method over `account-key` if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
   -storage.azure.container-name string

docs/sources/configure-server/reference-configuration-parameters/index.md

@@ -2548,6 +2548,24 @@ http:
 The `azure_storage_backend` block configures the connection to Azure object storage backend.
 
 ```yaml
+# Azure Active Directory tenant ID. If set alongside `client-id` and
+# `client-secret`, these values will be used for authentication via a client
+# secret credential.
+# CLI flag: -storage.azure.az-tenant-id
+[az_tenant_id: <string> | default = ""]
+
+# Azure Active Directory client ID. If set alongside `az-tenant-id` and
+# `client-secret`, these values will be used for authentication via a client
+# secret credential.
+# CLI flag: -storage.azure.client-id
+[client_id: <string> | default = ""]
+
+# Azure Active Directory client secret. If set alongside `az-tenant-id` and
+# `client-id`, these values will be used for authentication via a client secret
+# credential.
+# CLI flag: -storage.azure.client-secret
+[client_secret: <string> | default = ""]
+
 # Azure storage account name
 # CLI flag: -storage.azure.account-name
 [account_name: <string> | default = ""]

pkg/objstore/providers/azure/bucket_client.go

@@ -21,6 +21,9 @@ func newBucketClient(cfg Config, name string, logger log.Logger, factory func(lo
 	// Start with default config to make sure that all parameters are set to sensible values, especially
 	// HTTP Config field.
 	bucketConfig := azure.DefaultConfig
+	bucketConfig.AzTenantID = cfg.AzTenantID
+	bucketConfig.ClientID = cfg.ClientID
+	bucketConfig.ClientSecret = cfg.ClientSecret.String()
 	bucketConfig.StorageAccountName = cfg.StorageAccountName
 	bucketConfig.StorageAccountKey = cfg.StorageAccountKey.String()
 	bucketConfig.StorageConnectionString = cfg.StorageConnectionString.String()

pkg/objstore/providers/azure/config.go

@@ -13,6 +13,9 @@ import (
 
 // Config holds the config options for an Azure backend
 type Config struct {
+	AzTenantID              string         `yaml:"az_tenant_id"`
+	ClientID                string         `yaml:"client_id"`
+	ClientSecret            flagext.Secret `yaml:"client_secret"`
 	StorageAccountName      string         `yaml:"account_name"`
 	StorageAccountKey       flagext.Secret `yaml:"account_key"`
 	StorageConnectionString flagext.Secret `yaml:"connection_string"`
@@ -29,6 +32,9 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) {
 
 // RegisterFlagsWithPrefix registers the flags for Azure storage
 func (cfg *Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) {
+	f.StringVar(&cfg.AzTenantID, prefix+"azure.az-tenant-id", "", "Azure Active Directory tenant ID. If set alongside `client-id` and `client-secret`, these values will be used for authentication via a client secret credential.")
+	f.StringVar(&cfg.ClientID, prefix+"azure.client-id", "", "Azure Active Directory client ID. If set alongside `az-tenant-id` and `client-secret`, these values will be used for authentication via a client secret credential.")
+	f.Var(&cfg.ClientSecret, prefix+"azure.client-secret", "Azure Active Directory client secret. If set alongside `az-tenant-id` and `client-id`, these values will be used for authentication via a client secret credential.")
 	f.StringVar(&cfg.StorageAccountName, prefix+"azure.account-name", "", "Azure storage account name")
 	f.Var(&cfg.StorageAccountKey, prefix+"azure.account-key", "Azure storage account key. If unset, Azure managed identities will be used for authentication instead.")
 	f.Var(&cfg.StorageConnectionString, prefix+"azure.connection-string", "If `connection-string` is set, the value of `endpoint-suffix` will not be used. Use this method over `account-key` if you need to authenticate via a SAS token. Or if you use the Azurite emulator.")