New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support azure blob storage auth with managed identity. #15753
base: main
Are you sure you want to change the base?
Support azure blob storage auth with managed identity. #15753
Conversation
@Piedone I know you said this, but how would you instantiate the client at |
Some of the code is based on AzureAI module as per @MikeAlhayek suggestion. |
A few topics to be worked on:
|
Please mark this PR ready for review, i.e. not draft, once it's not a WIP. Yeah, indeed, you'll need to extend Since as mentioned, the Azure ImageSharp Image Cache only supports key-based configuration, this inheritance chain will need to be broken and the current classes copied, or some runtime exception added to make it fail if you try to configure managed identity for ImageSharp. I'm not sure which one is better (both are bad), but if that PR gets merged first, please implement something for this. |
daf2e03
to
b6c2a04
Compare
…ients to Media, Shells and DataProtection.
b6c2a04
to
8d2b9ff
Compare
I've added testing instructions to the first comment.
I think we can simply not use the "AzureClientName" config on whichever module doesn't support it. |
OK then. So, this is ready then, minus documentation? |
Yes, but I'd appreciate if someone else could test in case I overlooked something.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to support multi-tenancy and configuration providers with every feature. So, this should also work with configuration coming solely from IShellConfiguration
, thus supporting hierarchical configuration; we shouldn't have to configure anything in Program
(having that option is good, but that being required doesn't match how Orchard operates).
I'm talking about adding URLs there. It's fine to have something like AddAzureManagedIdentity()
to opt-in Iike AddAzureShellsConfiguration()
, but the rest should happen internally and ultimately from IShellConfiguration
.
This pull request has merge conflicts. Please resolve those before requesting a review. |
Fixes: #12639
TODO:
To test:
a. Create a Storage Account
b. Go to Configuration and disable "Allow storage account key access"
c. Go to Access Control (IAM) and add the role Storage Blob Data Contributor to the account that you use on Visual Studio (Tools > Options > Azure Service Authentication > Account Selection).
Program.cs
appsettings.json