github/distribution
1
0
Fork 0
mirror of https://github.com/distribution/distribution.git synced 2025-08-13 12:37:05 +00:00
Code Issues Projects Releases Wiki Activity

Fix default_credentials in azure storage provider (#4619)

Browse Source
This commit is contained in:
Milos Gajdos 2025-04-08 22:09:57 -07:00 committed by GitHub
commit e028a30ecd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/content/storage-drivers/azure.md
View File

@ -25,24 +25,24 @@ An implementation of the `storagedriver.StorageDriver` interface which uses [Mic
| Parameter | Required | Description |
|:-----------------------------------|:---------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `type` | yes | Azure credentials used to authenticate with Azure blob storage (`client_secret`, `shared_key`, `default_credentials`). |
| `clientid` | yes | The unique application ID of this application in your directory. |
| `tenantid` | yes | Azure Active Directorys global unique identifier. |
| `secret` | yes | A secret string that the application uses to prove its identity when requesting a token. |
| `clientid` | no | The unique application ID of this application in your directory. Required if not using Workload Identity. |
| `tenantid` | no | Azure Active Directorys global unique identifier. Required if not using Workload Identity. |
| `secret` | no | A secret string that the application uses to prove its identity when requesting a token. Required if not using Workload Identity. |
* `client_secret`: [used for token euthentication](https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/authentication-overview#advantages-of-token-based-authentication)
* `client_secret`: [used for token authentication](https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/authentication-overview#advantages-of-token-based-authentication)
* `shared_key`: used for shared key credentials authentication (read more [here](https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key))
* `default_credentials`: [default Azure credential authentication](https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/authentication-overview#defaultazurecredential)
* `default_credentials`: [default Azure credential authentication](https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/authentication-overview#defaultazurecredential) (supports [workload identity](#azure-workload-identity) in AKS)
## Related information
* To get information about Azure blob storage [the offical docs](https://azure.microsoft.com/en-us/services/storage/).
* You can use Azure [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container).
## Azure identity
## Azure managed identity
In order to use managed identity to access Azure blob storage you can use [Microsoft Bicep](https://learn.microsoft.com/en-us/azure/templates/microsoft.app/managedenvironments/storages?pivots=deployment-language-bicep).
To use managed identity to access Azure blob storage you can use [Microsoft Bicep](https://learn.microsoft.com/en-us/azure/templates/microsoft.app/managedenvironments/storages?pivots=deployment-language-bicep).
The following will configure credentials that will be used by the Azure storage driver to construct AZ Identity that will be used to access the blob storage:
The following configures credentials that the Azure storage driver will use to construct AZ Identity to access the blob storage:
```
properties: {
azure: {
@ -54,3 +54,7 @@ properties: {
}
}
```
## Azure workload identity
If running in an AKS cluster with [Azure workload identity](https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster), use the `default_credentials` type. There's no need to set the other credentials fields. The service account will need at least `Storage Blob Data Contributor` role on the storage account to read and write to it.

4
registry/storage/driver/azure/auth.go
View File

@ -51,9 +51,9 @@ type azureClient struct {
func newClient(params *DriverParameters) (*azureClient, error) {
switch params.Credentials.Type {
case CredentialsTypeClientSecret:
case CredentialsTypeClientSecret, CredentialsTypeDefault:
return newTokenClient(params)
case CredentialsTypeSharedKey, CredentialsTypeDefault:
case CredentialsTypeSharedKey:
return newSharedKeyCredentialsClient(params)
}
return nil, fmt.Errorf("invalid credentials type: %q", params.Credentials.Type)