From b52b829ece0d99baebcdf2e67f177894d77334b3 Mon Sep 17 00:00:00 2001 From: Andreas Christou Date: Fri, 29 Sep 2023 10:06:03 +0100 Subject: [PATCH] [v9.5.x] Azure: Settings for Azure AD Workload Identity (#75690) * Backport workload identity changes * Tidy go.mod * Add missing flag --- conf/defaults.ini | 18 ++++++++++++ conf/sample.ini | 18 ++++++++++++ .../setup-grafana/configure-grafana/_index.md | 26 +++++++++++++++++ go.mod | 15 +++++----- go.sum | 28 ++++++++----------- packages/grafana-runtime/src/config.ts | 2 ++ pkg/api/dtos/frontend_settings.go | 5 ++-- pkg/api/frontendsettings.go | 5 ++-- pkg/api/pluginproxy/token_provider_azure.go | 2 +- pkg/setting/setting_azure.go | 18 ++++++++++++ pkg/tsdb/prometheus/azureauth/azure.go | 25 +---------------- 11 files changed, 109 insertions(+), 53 deletions(-) diff --git a/conf/defaults.ini b/conf/defaults.ini index 1a3f58555dc..92d7e878b9f 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -783,6 +783,24 @@ managed_identity_enabled = false # Should be set for user-assigned identity and should be empty for system-assigned identity managed_identity_client_id = +# Specifies whether Azure AD Workload Identity authentication should be enabled in datasources that support it +# For more documentation on Azure AD Workload Identity, review this documentation: +# https://azure.github.io/azure-workload-identity/docs/ +# Disabled by default, needs to be explicitly enabled +workload_identity_enabled = false + +# Tenant ID of the Azure AD Workload Identity +# Allows to override default tenant ID of the Azure AD identity associated with the Kubernetes service account +workload_identity_tenant_id = + +# Client ID of the Azure AD Workload Identity +# Allows to override default client ID of the Azure AD identity associated with the Kubernetes service account +workload_identity_client_id = + +# Custom path to token file for the Azure AD Workload Identity +# Allows to set a custom path to the projected service account token file +workload_identity_token_file = + #################################### Role-based Access Control ########### [rbac] # If enabled, cache permissions in a in memory cache diff --git a/conf/sample.ini b/conf/sample.ini index 0efc87384be..dc0d41e1980 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -754,6 +754,24 @@ # Should be set for user-assigned identity and should be empty for system-assigned identity ;managed_identity_client_id = +# Specifies whether Azure AD Workload Identity authentication should be enabled in datasources that support it +# For more documentation on Azure AD Workload Identity, review this documentation: +# https://azure.github.io/azure-workload-identity/docs/ +# Disabled by default, needs to be explicitly enabled +;workload_identity_enabled = false + +# Tenant ID of the Azure AD Workload Identity +# Allows to override default tenant ID of the Azure AD identity associated with the Kubernetes service account +;workload_identity_tenant_id = + +# Client ID of the Azure AD Workload Identity +# Allows to override default client ID of the Azure AD identity associated with the Kubernetes service account +;workload_identity_client_id = + +# Custom path to token file for the Azure AD Workload Identity +# Allows to set a custom path to the projected service account token file +;workload_identity_token_file = + #################################### Role-based Access Control ########### [rbac] ;permission_cache = true diff --git a/docs/sources/setup-grafana/configure-grafana/_index.md b/docs/sources/setup-grafana/configure-grafana/_index.md index b896c0e6d5d..5c289eeeb38 100644 --- a/docs/sources/setup-grafana/configure-grafana/_index.md +++ b/docs/sources/setup-grafana/configure-grafana/_index.md @@ -1105,6 +1105,32 @@ The client ID to use for user-assigned managed identity. Should be set for user-assigned identity and should be empty for system-assigned identity. +### workload_identity_enabled + +Specifies whether Azure AD Workload Identity authentication should be enabled in datasources that support it. + +For more documentation on Azure AD Workload Identity, review [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/) documentation. + +Disabled by default, needs to be explicitly enabled. + +### workload_identity_tenant_id + +Tenant ID of the Azure AD Workload Identity. + +Allows to override default tenant ID of the Azure AD identity associated with the Kubernetes service account. + +### workload_identity_client_id + +Client ID of the Azure AD Workload Identity. + +Allows to override default client ID of the Azure AD identity associated with the Kubernetes service account. + +### workload_identity_token_file + +Custom path to token file for the Azure AD Workload Identity. + +Allows to set a custom path to the projected service account token file. + ## [auth.jwt] Refer to [JWT authentication]({{< relref "../configure-security/configure-authentication/jwt/" >}}) for more information. diff --git a/go.mod b/go.mod index 1dc3c0ee191..16ab5a10584 100644 --- a/go.mod +++ b/go.mod @@ -66,7 +66,7 @@ require ( github.com/grafana/alerting v0.0.0-20230502194537-ce9fba922d97 github.com/grafana/cuetsy v0.1.6 github.com/grafana/grafana-aws-sdk v0.12.0 - github.com/grafana/grafana-azure-sdk-go v1.6.0 + github.com/grafana/grafana-azure-sdk-go v1.9.0 github.com/grafana/grafana-plugin-sdk-go v0.157.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/hashicorp/go-hclog v1.2.0 @@ -133,7 +133,7 @@ require ( ) require ( - github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect @@ -169,7 +169,7 @@ require ( github.com/go-openapi/spec v0.20.8 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/go-openapi/validate v0.22.1 // indirect - github.com/golang-jwt/jwt/v4 v4.4.3 + github.com/golang-jwt/jwt/v4 v4.5.0 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect github.com/golang/glog v1.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect @@ -234,7 +234,7 @@ require ( require ( cloud.google.com/go/kms v1.4.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.9.0 github.com/Azure/azure-storage-blob-go v0.15.0 github.com/Azure/go-autorest/autorest/adal v0.9.21 @@ -291,7 +291,6 @@ require ( github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/digitalocean/godo v1.88.0 // indirect - github.com/dnaeon/go-vcr v1.2.0 // indirect github.com/docker/distribution v2.8.1+incompatible // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/drone-runners/drone-runner-docker v1.8.2 // indirect @@ -346,9 +345,9 @@ require ( cloud.google.com/go/compute v1.15.1 // indirect cloud.google.com/go/iam v0.8.0 // indirect filippo.io/age v1.1.1 - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect github.com/Masterminds/sprig/v3 v3.2.2 github.com/Microsoft/go-winio v0.5.2 // indirect github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect @@ -394,7 +393,7 @@ require ( github.com/yudai/pp v2.0.1+incompatible // indirect go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect go.opentelemetry.io/proto/otlp v0.19.0 // indirect - golang.org/x/mod v0.9.0 // indirect + golang.org/x/mod v0.9.0 gopkg.in/warnings.v0 v0.1.2 // indirect ) diff --git a/go.sum b/go.sum index 585ec64005d..07f58a731d4 100644 --- a/go.sum +++ b/go.sum @@ -119,12 +119,12 @@ github.com/Azure/azure-sdk-for-go v59.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v59.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v65.0.0+incompatible h1:HzKLt3kIwMm4KeJYTdx9EbjRYTySD/t8i1Ee/W5EGXw= github.com/Azure/azure-sdk-for-go v65.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 h1:t/W5MYAuQy81cvM8VUNfRLzhtKpXhVUAN7Cd7KVbTyc= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0/go.mod h1:NBanQUfSWiWn3QEpWDTCU0IjBECKOYvl2R8xdRtMtiM= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 h1:SEy2xmstIphdPwNBUi7uhvjyjhVKISfwjfOJmuy7kg4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.9.0 h1:TOFrNxfjslms5nLLIMjW7N0+zSALX4KiGsptmpb16AA= github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.9.0/go.mod h1:EAyXOW1F6BTJPiK2pDvmnvxOHPxoTYWoqBeIlql+QhI= github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0 h1:Lg6BW0VPmCwcMlvOviL3ruHFO+H9tZNqscK0AeuFjGM= @@ -196,8 +196,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU= github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 h1:VgSJlZH5u0k2qxSpqyghcFQKmvYckj46uymKK5XzkBM= -github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0/go.mod h1:BDJ5qMFKx9DugEg3+uQSDCdbYPr5s9vBTrL9P8TpqOU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= @@ -414,7 +414,6 @@ github.com/bits-and-blooms/bitset v1.2.0 h1:Kn4yilvwNtMACtf1eYDlG8H77R07mZSPbMjL github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= @@ -688,7 +687,6 @@ github.com/dlmiddlecote/sqlstats v1.0.2 h1:gSU11YN23D/iY50A2zVYwgXgy072khatTsIW6 github.com/dlmiddlecote/sqlstats v1.0.2/go.mod h1:0CWaIh/Th+z2aI6Q9Jpfg/o21zmGxWhbByHgQSCUQvY= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= -github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v2.7.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= @@ -1082,8 +1080,9 @@ github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzq github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU= github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-migrate/migrate/v4 v4.7.0 h1:gONcHxHApDTKXDyLH/H97gEHmpu1zcnnbAaq2zgrPrs= github.com/golang-migrate/migrate/v4 v4.7.0/go.mod h1:Qvut3N4xKWjoH3sokBccML6WyHSnggXm/DvMMnTsQIc= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= @@ -1281,8 +1280,8 @@ github.com/grafana/go-mssqldb v0.9.2 h1:FkyRJR4ywsT07iMtpFMHStrl8uuNkGIwp253Fee0 github.com/grafana/go-mssqldb v0.9.2/go.mod h1:HTCsUqZdb7oIO7jc37YauiSB5C3P/13AnpctVWBhlus= github.com/grafana/grafana-aws-sdk v0.12.0 h1:eUjFdFZeZE+nyu/RMRz+qFxTBew69ToLBrbRhTbjkfM= github.com/grafana/grafana-aws-sdk v0.12.0/go.mod h1:rCXLYoMpPqF90U7XqgVJ1HIAopFVF0bB3SXBVEJIm3I= -github.com/grafana/grafana-azure-sdk-go v1.6.0 h1:lxvH/mVY7gKBtJKhZ4B/6tIZFY7Jth97HxBA38olaxs= -github.com/grafana/grafana-azure-sdk-go v1.6.0/go.mod h1:X4PdEQIYgHfn0KTa2ZTKvufhNz6jbCEKUQPZIlcyOGw= +github.com/grafana/grafana-azure-sdk-go v1.9.0 h1:4JRwlqgUtPRAQSoiV4DFZDQ3lbNsauHqj9kC6SMR9Ak= +github.com/grafana/grafana-azure-sdk-go v1.9.0/go.mod h1:1vBa0KOl+/Kcm7V888OyMXDSFncmek14q7XhEkrcSaA= github.com/grafana/grafana-google-sdk-go v0.1.0 h1:LKGY8z2DSxKjYfr2flZsWgTRTZ6HGQbTqewE3JvRaNA= github.com/grafana/grafana-google-sdk-go v0.1.0/go.mod h1:Vo2TKWfDVmNTELBUM+3lkrZvFtBws0qSZdXhQxRdJrE= github.com/grafana/grafana-plugin-sdk-go v0.94.0/go.mod h1:3VXz4nCv6wH5SfgB3mlW39s+c+LetqSCjFj7xxPC5+M= @@ -1789,7 +1788,6 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= @@ -2265,8 +2263,6 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.12 h1:igJgVw1JdKH+trcLWLeLwZjU9fEfPesQ+9/e4MQ44S8= github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= -github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M= -github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= github.com/urfave/cli/v2 v2.25.0 h1:ykdZKuQey2zq0yin/l7JOm9Mh+pg72ngYMeB0ABn6q8= github.com/urfave/cli/v2 v2.25.0/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc= github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= diff --git a/packages/grafana-runtime/src/config.ts b/packages/grafana-runtime/src/config.ts index 51bc8d33dbb..2aed4add890 100644 --- a/packages/grafana-runtime/src/config.ts +++ b/packages/grafana-runtime/src/config.ts @@ -22,6 +22,7 @@ import { export interface AzureSettings { cloud?: string; managedIdentityEnabled: boolean; + workloadIdentityEnabled: boolean; } export type AppPluginConfig = { @@ -125,6 +126,7 @@ export class GrafanaBootConfig implements GrafanaConfig { awsAssumeRoleEnabled = false; azure: AzureSettings = { managedIdentityEnabled: false, + workloadIdentityEnabled: false, }; caching = { enabled: false, diff --git a/pkg/api/dtos/frontend_settings.go b/pkg/api/dtos/frontend_settings.go index fdbf8977719..9d960a3b582 100644 --- a/pkg/api/dtos/frontend_settings.go +++ b/pkg/api/dtos/frontend_settings.go @@ -44,8 +44,9 @@ type FrontendSettingsLicenseInfoDTO struct { } type FrontendSettingsAzureDTO struct { - Cloud string `json:"cloud"` - ManagedIdentityEnabled bool `json:"managedIdentityEnabled"` + Cloud string `json:"cloud"` + ManagedIdentityEnabled bool `json:"managedIdentityEnabled"` + WorkloadIdentityEnabled bool `json:"workloadIdentityEnabled"` } type FrontendSettingsCachingDTO struct { diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go index 7293b1bc458..5bfdef5b5f2 100644 --- a/pkg/api/frontendsettings.go +++ b/pkg/api/frontendsettings.go @@ -191,8 +191,9 @@ func (hs *HTTPServer) getFrontendSettings(c *contextmodel.ReqContext) (*dtos.Fro SupportBundlesEnabled: isSupportBundlesEnabled(hs), Azure: dtos.FrontendSettingsAzureDTO{ - Cloud: hs.Cfg.Azure.Cloud, - ManagedIdentityEnabled: hs.Cfg.Azure.ManagedIdentityEnabled, + Cloud: hs.Cfg.Azure.Cloud, + ManagedIdentityEnabled: hs.Cfg.Azure.ManagedIdentityEnabled, + WorkloadIdentityEnabled: hs.Cfg.Azure.WorkloadIdentityEnabled, }, Caching: dtos.FrontendSettingsCachingDTO{ diff --git a/pkg/api/pluginproxy/token_provider_azure.go b/pkg/api/pluginproxy/token_provider_azure.go index a0db3524c35..c2ef22bfe8d 100644 --- a/pkg/api/pluginproxy/token_provider_azure.go +++ b/pkg/api/pluginproxy/token_provider_azure.go @@ -20,7 +20,7 @@ type azureAccessTokenProvider struct { func newAzureAccessTokenProvider(ctx context.Context, cfg *setting.Cfg, authParams *plugins.JWTTokenAuth) (*azureAccessTokenProvider, error) { credentials := getAzureCredentials(cfg.Azure, authParams) - tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials) + tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials, false) if err != nil { return nil, err } diff --git a/pkg/setting/setting_azure.go b/pkg/setting/setting_azure.go index 0a6d5cc4022..c86bb0d4396 100644 --- a/pkg/setting/setting_azure.go +++ b/pkg/setting/setting_azure.go @@ -15,5 +15,23 @@ func (cfg *Cfg) readAzureSettings() { azureSettings.ManagedIdentityEnabled = azureSection.Key("managed_identity_enabled").MustBool(false) azureSettings.ManagedIdentityClientId = azureSection.Key("managed_identity_client_id").String() + // Workload Identity authentication + if azureSection.Key("workload_identity_enabled").MustBool(false) { + azureSettings.WorkloadIdentityEnabled = true + workloadIdentitySettings := &azsettings.WorkloadIdentitySettings{} + + if val := azureSection.Key("workload_identity_tenant_id").String(); val != "" { + workloadIdentitySettings.TenantId = val + } + if val := azureSection.Key("workload_identity_client_id").String(); val != "" { + workloadIdentitySettings.ClientId = val + } + if val := azureSection.Key("workload_identity_token_file").String(); val != "" { + workloadIdentitySettings.TokenFile = val + } + + azureSettings.WorkloadIdentitySettings = workloadIdentitySettings + } + cfg.Azure = azureSettings } diff --git a/pkg/tsdb/prometheus/azureauth/azure.go b/pkg/tsdb/prometheus/azureauth/azure.go index a61e1bf8f4e..1ce7ba534bf 100644 --- a/pkg/tsdb/prometheus/azureauth/azure.go +++ b/pkg/tsdb/prometheus/azureauth/azure.go @@ -77,7 +77,7 @@ func getOverriddenScopes(jsonData map[string]interface{}) ([]string, error) { func getPrometheusScopes(settings *azsettings.AzureSettings, credentials azcredentials.AzureCredentials) ([]string, error) { // Extract cloud from credentials - azureCloud, err := getAzureCloudFromCredentials(settings, credentials) + azureCloud, err := azcredentials.GetAzureCloud(settings, credentials) if err != nil { return nil, err } @@ -90,26 +90,3 @@ func getPrometheusScopes(settings *azsettings.AzureSettings, credentials azcrede return scopes, nil } } - -// To be part of grafana-azure-sdk-go -func getAzureCloudFromCredentials(settings *azsettings.AzureSettings, credentials azcredentials.AzureCredentials) (string, error) { - switch c := credentials.(type) { - case *azcredentials.AzureManagedIdentityCredentials: - // In case of managed identity, the cloud is always same as where Grafana is hosted - return getDefaultAzureCloud(settings), nil - case *azcredentials.AzureClientSecretCredentials: - return c.AzureCloud, nil - default: - err := fmt.Errorf("the Azure credentials of type '%s' not supported by Prometheus datasource", c.AzureAuthType()) - return "", err - } -} - -// To be part of grafana-azure-sdk-go -func getDefaultAzureCloud(settings *azsettings.AzureSettings) string { - cloudName := settings.Cloud - if cloudName == "" { - return azsettings.AzurePublic - } - return cloudName -}