From 85aebd0f671e771e92be3fc7e91b4c94777ab365 Mon Sep 17 00:00:00 2001 From: RidRisR <79858083+RidRisR@users.noreply.github.com> Date: Fri, 19 Dec 2025 11:19:04 +0100 Subject: [PATCH 1/2] new auth method --- br/backup-and-restore-storages.md | 51 +++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/br/backup-and-restore-storages.md b/br/backup-and-restore-storages.md index 9c6aa083d8bbe..70057bd3f7a77 100644 --- a/br/backup-and-restore-storages.md +++ b/br/backup-and-restore-storages.md @@ -203,6 +203,57 @@ You can configure the account used to access GCS by specifying the access key. I --storage "azure://external/backup-20220915?account-name=${account-name}" ``` +- Method 4: Use Azure Managed Identity + + If your TiDB cluster and BR run on Azure Virtual Machines or Azure Kubernetes Service (AKS), and you have assigned a managed identity to the nodes, you can use this method. + + Before using this method, ensure that you have granted the managed identity access permissions to the target storage account (for example, the **Storage Blob Data Contributor** role) in the Azure Portal. + + - **System-assigned managed identity**: + + You do not need to configure any environment variables. Simply run the backup command. Ensure that the environment variables `$AZURE_CLIENT_ID`, `$AZURE_TENANT_ID`, and `$AZURE_CLIENT_SECRET` are **not** set in the runtime environment; otherwise, the SDK might attempt to use other authentication methods. + + - **User-assigned managed identity**: + + You need to configure the `$AZURE_CLIENT_ID` environment variable in the running environment of the BR tool and TiKV. The value should be the **Client ID** of the user-assigned managed identity. + + 1. **Configure TiKV (when started using TiUP)**: + + Suppose that the TiKV port on the node is `24000` (the systemd service name is `tikv-24000`): + + ```shell + systemctl edit tikv-24000 + ``` + + Edit the configuration to add the environment variable (only the Client ID is required): + + ```ini + [Service] + Environment="AZURE_CLIENT_ID=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + ``` + + Reload the configuration and restart TiKV: + + ```shell + systemctl daemon-reload + systemctl restart tikv-24000 + ``` + + 2. **Configure the BR command-line tool**: + + Ensure that the environment variable exists in the current shell: + + ```shell + export AZURE_CLIENT_ID="aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + ``` + + - Use BR to back up data to Azure Blob Storage: + + ```shell + tiup br backup full -u "${PD_IP}:2379" \ + --storage "azure://external/backup-20220915?account-name=${account-name}" + ``` + From 03d94367b867ac919a11ad57925435708c2dd88d Mon Sep 17 00:00:00 2001 From: ris <79858083+RidRisR@users.noreply.github.com> Date: Tue, 23 Dec 2025 18:59:28 +0800 Subject: [PATCH 2/2] Apply suggestions from code review accept gemini suggestions Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- br/backup-and-restore-storages.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/br/backup-and-restore-storages.md b/br/backup-and-restore-storages.md index 70057bd3f7a77..463479a5f86b8 100644 --- a/br/backup-and-restore-storages.md +++ b/br/backup-and-restore-storages.md @@ -211,7 +211,7 @@ You can configure the account used to access GCS by specifying the access key. I - **System-assigned managed identity**: - You do not need to configure any environment variables. Simply run the backup command. Ensure that the environment variables `$AZURE_CLIENT_ID`, `$AZURE_TENANT_ID`, and `$AZURE_CLIENT_SECRET` are **not** set in the runtime environment; otherwise, the SDK might attempt to use other authentication methods. + You do not need to configure any environment variables. Simply run the backup command. Ensure that the environment variables `$AZURE_CLIENT_ID`, `$AZURE_TENANT_ID`, and `$AZURE_CLIENT_SECRET` are **not** set in the runtime environment of BR and TiKV; otherwise, the SDK might attempt to use other authentication methods. - **User-assigned managed identity**: @@ -219,13 +219,13 @@ You can configure the account used to access GCS by specifying the access key. I 1. **Configure TiKV (when started using TiUP)**: - Suppose that the TiKV port on the node is `24000` (the systemd service name is `tikv-24000`): + For example, if the TiKV port on the node is `24000` (the systemd service name is `tikv-24000`): ```shell systemctl edit tikv-24000 ``` - Edit the configuration to add the environment variable (only the Client ID is required): + Edit the configuration to add the `$AZURE_CLIENT_ID` environment variable: ```ini [Service]