Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure: add option to force use of CLI credential #4799

Merged

Conversation

letmaik
Copy link
Contributor

@letmaik letmaik commented May 9, 2024

What does this PR change? What problem does it solve?

In Azure, VMs can have multiple identities at the same time, for example a managed identity and an Azure CLI identity. Sometimes the managed identity is not under control of the user but the user can still login with the Azure CLI. In those cases, being able to use the Azure CLI identity with restic makes sense.

DefaultAzureCredential first tries environment variables, managed identity, workload identity, and eventually Azure CLI identity. This PR introduces a new environment variable that forces use of the Azure CLI identity:

export AZURE_FORCE_CLI_CREDENTIAL=true

Was the change previously discussed in an issue or on the forum?

Checklist

  • I have read the contribution guidelines.
  • I have enabled maintainer edits.
  • I have added tests for all code changes.
    • Manually tested.
  • I have added documentation for relevant changes (in the manual).
  • There's a new file in changelog/unreleased/ that describes the changes for our users (see template).
  • I have run gofmt on the code in all commits.
  • All commit messages are formatted in the same style as the other commits in the repo.
  • I'm done! This pull request is ready for review.

@letmaik letmaik force-pushed the letmaik/azure-force-cli-credential branch from bf9d703 to 90993b0 Compare May 9, 2024 13:54
Copy link
Member

@MichaelEischer MichaelEischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding the environment variable seems ok, I didn't find any easy workarounds to ignore the managed identity.

I have a few comments though, see below.

internal/backend/azure/azure.go Outdated Show resolved Hide resolved
doc/030_preparing_a_new_repo.rst Show resolved Hide resolved
internal/backend/azure/config.go Outdated Show resolved Hide resolved
doc/030_preparing_a_new_repo.rst Show resolved Hide resolved
doc/030_preparing_a_new_repo.rst Outdated Show resolved Hide resolved
@letmaik letmaik force-pushed the letmaik/azure-force-cli-credential branch from 90993b0 to e1496e2 Compare May 15, 2024 17:17
@MichaelEischer MichaelEischer force-pushed the letmaik/azure-force-cli-credential branch from e1496e2 to c56ecec Compare May 18, 2024 20:16
Copy link
Member

@MichaelEischer MichaelEischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I've rebased the PR and added a commit to deduplicate the CLI and default credentials case.

@MichaelEischer MichaelEischer added this pull request to the merge queue May 18, 2024
Merged via the queue into restic:master with commit 9c5bac6 May 18, 2024
13 checks passed
@letmaik letmaik deleted the letmaik/azure-force-cli-credential branch May 19, 2024 07:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants