fluent-plugin-azurestorage-gen2 0.3.4 → 0.3.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c6a19402e29cb9d0cc99d4c7540abe4078bf18b01de1679321caac31bbc22009
-  data.tar.gz: 1e721f1eb70a0c492532fed6246f216457673e6f5c210f333f8a07fa2b8be8d6
+  metadata.gz: 03f96fdc3c17e02d00b6a654594e865dcc733f7123559a56128741250d93311b
+  data.tar.gz: a1ebbbef45a3d6e7356073d8dcc4754611c9a3bd72b8b17f089f9300b31ece36
 SHA512:
-  metadata.gz: bb60e722eca5df9ad5a4a46f85c5d00090f745757a7e475c0091e75df746066456cd16380899770758869b638469a7a2ff865370f96e641436d124066190e7ea
-  data.tar.gz: 10890970199e264c2a2cc7a2711558deeb1ca694af1d680b262cff47935249d84559878ae7a1096774cfddfaf15175c1e7a25b32511c24d2302d32f51c01e229
+  metadata.gz: 7aecd0801303e5b28276dd1e80a1849d76794350b8f9376aaf630a7bff0c6906b892e83c08d5d7373673cc2916ba1e5cb4f4c199dbeb17ef2e52a85f9cef9f66
+  data.tar.gz: bd675a546521ec56300e00e9c965055a61be4d8c107b0d31aea8b2671264552829523849372714b96a45d9a04dcc02b40fc671e37e2f92ffcbd4d583ed27a7e0

data/README.md

@@ -51,6 +51,34 @@ $ gem install fluent-plugin-azurestorage-gen2
 </match>
 ```
 
+- Configuration in a pod using Azure Workload Identity:
+```
+<match **>
+  @type azurestorage_gen2
+  azure_storage_account            mystorageabfs
+  azure_container                  mycontainer
+  azure_use_workload_id            true
+  azure_oauth_tenant_id            <my tenant id>
+  azure_oauth_app_id               <my app client id>
+  azure_object_key_format          %{path}-%{index}.%{file_extension}
+  azure_oauth_refresh_interval     3600
+  time_slice_format                %Y%m%d-%H
+  file_extension                   log # only used with store_as none
+  path                             "/cluster-logs/myfolder/${tag[1]}-#{Socket.gethostname}-%M"
+  auto_create_container            true
+  store_as                         gzip
+  format                           single_value
+  <buffer tag,time>
+    @type file
+    path /var/log/fluent/azurestorage-buffer
+    timekey 5m
+    timekey_wait 0s
+    timekey_use_utc true
+    chunk_limit_size 64m
+  </buffer>
+</match>
+```
+
 - Configuration outside of VMs with OAuth credentials:
 ```
 <match **>
@@ -85,7 +113,7 @@ $ gem install fluent-plugin-azurestorage-gen2
   azure_oauth_tenant_id            <my tenant id>
   azure_oauth_app_id               <my app client id>
   azure_oauth_secret               <my client secret>
-  azure_oauth_identity_authority   login.microsoftonline.us
+  azure_oauth_identity_authority   https://login.microsoftonline.us
   ...
 </match>
 ```
@@ -97,6 +125,14 @@ $ gem install fluent-plugin-azurestorage-gen2
 Your Azure Storage Account Name. This can be got from Azure Management potal.
 This parameter is required when environment variable 'AZURE_STORAGE_ACCOUNT' is not set.
 
+### azure_use_workload_id
+
+Use Azure Workload Identity for authentication. The plugin will use a token generated from the kubernetes OIDC issuer to get an Azure OAuth2 token, which will be used to authenticate with the storage API. Supersedes other authentication types. Requires azure_oauth_tenant_id and azure_oauth_app_id to be set. See https://azure.github.io/azure-workload-identity/docs/introduction.html for implementation details. Default is false.
+
+### azure_federated_token_file_path
+
+The path where the federated token is mounted on the local filesystem. If not specified, defaults to the value of the environment variable `AZURE_FEDERATED_TOKEN_FILE`, or `/var/run/secrets/azure/tokens/azure-identity-token` if the environment variable is not set. Defaults set per Azure Workload Identity documentation.
+
 ### azure_storage_access_key (not implemented yet - use msi)
 
 Your Azure Storage Access Key(Primary or Secondary). This also can be got from Azure Management potal. Storage access key authentication is used when this parameter is provided or environment variable 'AZURE_STORAGE_ACCESS_KEY' is set.
@@ -115,11 +151,11 @@ Azure AD object id is a specific explicit identity to use when authenticating to
 
 ### azure_oauth_tenant_id (Preview)
 
-Azure account tenant id from your Azure Directory. Required if OAuth based credential mechanism is used.
+Azure account tenant id from your Azure Directory. Required if workload ID or OAuth based credential mechanism is used.
 
 ### azure_oauth_app_id (Preview)
 
-OAuth client id that is used for OAuth based authentication. Required if OAuth based credential mechanism is used.
+OAuth client id that is used for OAuth based authentication. Required if workload ID or OAuth based credential mechanism is used.
 
 ### azure_oauth_secret (Preview)
 
@@ -127,7 +163,7 @@ OAuth client secret that is used for OAuth based authentication. Required if OAu
 
 ### azure_oauth_identity_authority
 
-Identity Authority URL used to retrieve the OAuth token. Default is commercial cloud of 'login.microsoftonline.com' and to switch to using Azure Government Cloud, provide a value of 'login.microsoftonline.us'
+Identity Authority URL used to retrieve the OAuth token. Default is commercial cloud of 'https://login.microsoftonline.com' and to switch to using Azure Government Cloud, provide a value of 'https://login.microsoftonline.us'
 
 ### azure_oauth_refresh_interval
 

data/VERSION

@@ -1 +1 @@
-0.3.4
+0.3.7

data/lib/fluent/plugin/out_azurestorage_gen2.rb

@@ -23,13 +23,15 @@ module Fluent::Plugin
         config_param :path, :string, :default => ""
         config_param :azure_storage_account, :string, :default => nil
         config_param :azure_storage_access_key, :string, :default => nil, :secret => true
+        config_param :azure_use_workload_id, :string, :default => false
+        config_param :azure_federated_token_file_path, :string, :default => nil
         config_param :azure_instance_msi, :string, :default => nil
         config_param :azure_client_id, :string, :default => nil
         config_param :azure_object_id, :string, :default => nil
         config_param :azure_oauth_app_id, :string, :default => nil, :secret => true
         config_param :azure_oauth_secret, :string, :default => nil, :secret => true
         config_param :azure_oauth_tenant_id, :string, :default => nil
-        config_param :azure_oauth_identity_authority, :string, :default => "login.microsoftonline.com"
+        config_param :azure_oauth_identity_authority, :string, :default => "https://login.microsoftonline.com"
         config_param :azure_oauth_use_azure_cli, :bool, :default => false
         config_param :azure_oauth_refresh_interval, :integer, :default => 60 * 60
         config_param :azure_container, :string, :default => nil
@@ -261,17 +263,49 @@ module Fluent::Plugin
         end
 
         def acquire_access_token
-            if !@azure_instance_msi.nil?
+            if @azure_use_workload_id
+                acquire_access_token_federated
+            elsif !@azure_instance_msi.nil?
                 acquire_access_token_msi
             elsif !@azure_oauth_app_id.nil? and !@azure_oauth_secret.nil? and !@azure_oauth_tenant_id.nil?
                 acquire_access_token_oauth_app
             elsif @azure_oauth_use_azure_cli
                 acquire_access_token_by_az
             else
-                raise Fluent::UnrecoverableError, "Using MSI or 'az cli tool' or simple OAuth 2.0 based authentication parameters (azure_oauth_tenant_id, azure_oauth_app_id, azure_oauth_secret) are required."
+                raise Fluent::UnrecoverableError, "Using MSI or Workload Identity or 'az cli tool' or simple OAuth 2.0 based authentication parameters (azure_oauth_tenant_id, azure_oauth_app_id, azure_oauth_secret) are required."
             end
         end
 
+        private
+        def acquire_access_token_federated
+          token_path = @azure_federated_token_file_path ||= ENV['AZURE_TOKEN_FILE'] ||= "/var/run/secrets/azure/tokens/azure-identity-token"
+          log.debug "azurestorage_gen2: Reading federated token from #{token_path}"
+          token = File.read(token_path)
+          log.debug "azurestorage_gen2: Locally mounted token: #{token}"
+          params = { :"api-version" => ACCESS_TOKEN_API_VERSION, :resource => "#{@url_storage_resource}"}
+          headers = {:"Content-Type" => "application/x-www-form-urlencoded"}
+          content = "grant_type=client_credentials&client_id=#{@azure_oauth_app_id}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=#{token.chomp}&resource=#{@url_storage_resource}&scope=https://storage.azure.com/.default"
+          req_opts = {
+            :params => params,
+            :body => content,
+            :headers => headers,
+            :timeout => @http_timeout_seconds
+          }
+          add_proxy_options(req_opts)
+          request = Typhoeus::Request.new("#{@azure_oauth_identity_authority}/#{@azure_oauth_tenant_id}/oauth2/token", req_opts)
+
+          request.on_complete do |response|
+            if response.success?
+              data = JSON.parse(response.body)
+              log.debug "azurestorage_gen2: Token response: #{data}"
+              @azure_access_token = data["access_token"].chomp
+            else
+              raise Fluent::UnrecoverableError, "Failed to acquire access token. #{response.code}: #{response.body}"
+            end
+          end
+          request.run
+        end
+
         # Referenced from azure doc.
         # https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage#get-an-access-token-and-use-it-to-call-azure-storage
         private

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-azurestorage-gen2
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.3.7
 platform: ruby
 authors:
 - Oliver Szabo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-02 00:00:00.000000000 Z
+date: 2024-08-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd