Skip to content

feat: add support for DefaultAzureCredential authentication mechanism #681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
armru wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add support for DefaultAzureCredential authentication mechanism #681

armru wants to merge 3 commits into from

Conversation

@armru
Copy link
Member

@armru armru commented Dec 16, 2025

This commit adds support for the DefaultAzureCredential authentication mechanism in Azure Blob Storage. Users can now use the useDefaultAzureCredentials option to enable Azure's default credential chain, which automatically discovers and uses available credentials in the following order

  1. Environment Variables (Service Principal)
  2. Managed Identity
  3. Azure CLI
  4. Azure PowerShell

This is particularly useful when running on Azure Kubernetes Service (AKS) with
Workload Identity, eliminating the need to explicitly store credentials in
Kubernetes Secrets.

@armru
feat: Add support for DefaultAzureCredential authentication mechanism
6ff1113 
This commit adds support for the DefaultAzureCredential authentication mechanism
in Azure Blob Storage. Users can now use the `useDefaultAzureCredentials` option
to enable Azure's default credential chain, which automatically discovers and uses
available credentials in the following order

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru armru requested a review from a team as a code owner December 16, 2025 16:47
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request go Pull requests that update go code labels Dec 16, 2025
@armru armru changed the title feat: Add support for DefaultAzureCredential authentication mechanism feat: add support for DefaultAzureCredential authentication mechanism Dec 16, 2025
GabriFedi97
GabriFedi97 reviewed Dec 22, 2025
View reviewed changes
internal/cnpgi/operator/specs/secrets.go
Comment on lines +40 to +41
// When using default Azure credentials, no secrets are required
if !barmanCredentials.Azure.UseDefaultAzureCredentials {
Copy link
Contributor

@GabriFedi97 GabriFedi97 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we include also barmanCredentials.Azure.InheritFromAzureAD here?

Suggested change
// When using default Azure credentials, no secrets are required
if !barmanCredentials.Azure.UseDefaultAzureCredentials {
// When using default Azure credentials or AzureAD, no secrets are required
if !barmanCredentials.Azure.UseDefaultAzureCredentials && !barmanCredentials.Azure.InheritFromAzureAD {

web/docs/object_stores.md
Comment on lines +266 to +267
This is particularly useful when running on Azure Kubernetes Service (AKS) with
[Workload Identity](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview):
Copy link
Contributor

@GabriFedi97 GabriFedi97 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this assessment is totally precise. I think Azure Default Credentials are primarily useful to delegate to the SDK the auth mechanism inferring it from the environment, so that different auth methods can be used in different environments seamlessly.

@GabriFedi97
Copy link
Contributor

GabriFedi97 commented Dec 22, 2025

@armru the manifests generation seems to be missing in this PR

armru added 2 commits December 22, 2025 17:45
@armru
chore: dependency
be5cad1 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru
fix: manifests
853ec3c 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
GabriFedi97 added a commit to GabriFedi97/plugin-barman-cloud that referenced this pull request Dec 23, 2025
@GabriFedi97
docs: inheritFromAzureAD for managed identities (review cloudnative-p…
715da51 
…g#681)

Make explicit in docs that the inheritFromAzureAD option enables
the usage of Azure Managed Identity authentication mechanism.

Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
GabriFedi97 added a commit to GabriFedi97/plugin-barman-cloud that referenced this pull request Dec 23, 2025
@GabriFedi97
docs: inheritFromAzureAD for managed identities (review cloudnative-p…
bd37282 
…g#681)

Make explicit in docs that the inheritFromAzureAD option enables
the usage of Azure Managed Identity authentication mechanism.

Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@GabriFedi97 GabriFedi97 GabriFedi97 left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request go Pull requests that update go code size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@armru @GabriFedi97