diff --git a/cmd/pyroscope/help-all.txt.tmpl b/cmd/pyroscope/help-all.txt.tmpl index 26a33eb525..fba3fba141 100644 --- a/cmd/pyroscope/help-all.txt.tmpl +++ b/cmd/pyroscope/help-all.txt.tmpl @@ -917,6 +917,12 @@ Usage of ./pyroscope: Azure storage account key. If unset, Azure managed identities will be used for authentication instead. -storage.azure.account-name string Azure storage account name + -storage.azure.az-tenant-id string + Azure Active Directory tenant ID. If set alongside `client-id` and `client-secret`, these values will be used for authentication via a client secret credential. + -storage.azure.client-id string + Azure Active Directory client ID. If set alongside `az-tenant-id` and `client-secret`, these values will be used for authentication via a client secret credential. + -storage.azure.client-secret string + Azure Active Directory client secret. If set alongside `az-tenant-id` and `client-id`, these values will be used for authentication via a client secret credential. -storage.azure.connection-string string If `connection-string` is set, the value of `endpoint-suffix` will not be used. Use this method over `account-key` if you need to authenticate via a SAS token. Or if you use the Azurite emulator. -storage.azure.container-name string diff --git a/cmd/pyroscope/help.txt.tmpl b/cmd/pyroscope/help.txt.tmpl index 6f6a2d1482..34c557bb45 100644 --- a/cmd/pyroscope/help.txt.tmpl +++ b/cmd/pyroscope/help.txt.tmpl @@ -313,6 +313,12 @@ Usage of ./pyroscope: Azure storage account key. If unset, Azure managed identities will be used for authentication instead. -storage.azure.account-name string Azure storage account name + -storage.azure.az-tenant-id string + Azure Active Directory tenant ID. If set alongside `client-id` and `client-secret`, these values will be used for authentication via a client secret credential. + -storage.azure.client-id string + Azure Active Directory client ID. If set alongside `az-tenant-id` and `client-secret`, these values will be used for authentication via a client secret credential. + -storage.azure.client-secret string + Azure Active Directory client secret. If set alongside `az-tenant-id` and `client-id`, these values will be used for authentication via a client secret credential. -storage.azure.connection-string string If `connection-string` is set, the value of `endpoint-suffix` will not be used. Use this method over `account-key` if you need to authenticate via a SAS token. Or if you use the Azurite emulator. -storage.azure.container-name string diff --git a/docs/sources/configure-server/reference-configuration-parameters/index.md b/docs/sources/configure-server/reference-configuration-parameters/index.md index eb9bb12e68..c46dfb9e5c 100644 --- a/docs/sources/configure-server/reference-configuration-parameters/index.md +++ b/docs/sources/configure-server/reference-configuration-parameters/index.md @@ -2548,6 +2548,24 @@ http: The `azure_storage_backend` block configures the connection to Azure object storage backend. ```yaml +# Azure Active Directory tenant ID. If set alongside `client-id` and +# `client-secret`, these values will be used for authentication via a client +# secret credential. +# CLI flag: -storage.azure.az-tenant-id +[az_tenant_id: | default = ""] + +# Azure Active Directory client ID. If set alongside `az-tenant-id` and +# `client-secret`, these values will be used for authentication via a client +# secret credential. +# CLI flag: -storage.azure.client-id +[client_id: | default = ""] + +# Azure Active Directory client secret. If set alongside `az-tenant-id` and +# `client-id`, these values will be used for authentication via a client secret +# credential. +# CLI flag: -storage.azure.client-secret +[client_secret: | default = ""] + # Azure storage account name # CLI flag: -storage.azure.account-name [account_name: | default = ""] diff --git a/pkg/objstore/providers/azure/bucket_client.go b/pkg/objstore/providers/azure/bucket_client.go index 1be7253037..de5bb2b6dc 100644 --- a/pkg/objstore/providers/azure/bucket_client.go +++ b/pkg/objstore/providers/azure/bucket_client.go @@ -21,6 +21,9 @@ func newBucketClient(cfg Config, name string, logger log.Logger, factory func(lo // Start with default config to make sure that all parameters are set to sensible values, especially // HTTP Config field. bucketConfig := azure.DefaultConfig + bucketConfig.AzTenantID = cfg.AzTenantID + bucketConfig.ClientID = cfg.ClientID + bucketConfig.ClientSecret = cfg.ClientSecret.String() bucketConfig.StorageAccountName = cfg.StorageAccountName bucketConfig.StorageAccountKey = cfg.StorageAccountKey.String() bucketConfig.StorageConnectionString = cfg.StorageConnectionString.String() diff --git a/pkg/objstore/providers/azure/config.go b/pkg/objstore/providers/azure/config.go index d5ad0aa7a7..85e93fd58f 100644 --- a/pkg/objstore/providers/azure/config.go +++ b/pkg/objstore/providers/azure/config.go @@ -13,6 +13,9 @@ import ( // Config holds the config options for an Azure backend type Config struct { + AzTenantID string `yaml:"az_tenant_id"` + ClientID string `yaml:"client_id"` + ClientSecret flagext.Secret `yaml:"client_secret"` StorageAccountName string `yaml:"account_name"` StorageAccountKey flagext.Secret `yaml:"account_key"` StorageConnectionString flagext.Secret `yaml:"connection_string"` @@ -29,6 +32,9 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) { // RegisterFlagsWithPrefix registers the flags for Azure storage func (cfg *Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) { + f.StringVar(&cfg.AzTenantID, prefix+"azure.az-tenant-id", "", "Azure Active Directory tenant ID. If set alongside `client-id` and `client-secret`, these values will be used for authentication via a client secret credential.") + f.StringVar(&cfg.ClientID, prefix+"azure.client-id", "", "Azure Active Directory client ID. If set alongside `az-tenant-id` and `client-secret`, these values will be used for authentication via a client secret credential.") + f.Var(&cfg.ClientSecret, prefix+"azure.client-secret", "Azure Active Directory client secret. If set alongside `az-tenant-id` and `client-id`, these values will be used for authentication via a client secret credential.") f.StringVar(&cfg.StorageAccountName, prefix+"azure.account-name", "", "Azure storage account name") f.Var(&cfg.StorageAccountKey, prefix+"azure.account-key", "Azure storage account key. If unset, Azure managed identities will be used for authentication instead.") f.Var(&cfg.StorageConnectionString, prefix+"azure.connection-string", "If `connection-string` is set, the value of `endpoint-suffix` will not be used. Use this method over `account-key` if you need to authenticate via a SAS token. Or if you use the Azurite emulator.")