Add aad auth option when using azure storage account (#1973)

Support managed identity authentication in Azure Blob Storage.

pkg/config/azureblob.go

@@ -2,7 +2,9 @@ package config
 
 // AzureBlobConfig specifies the properties required to use Azure as the storage backend.
 type AzureBlobConfig struct {
-	AccountName   string `envconfig:"ATHENS_AZURE_ACCOUNT_NAME"   validate:"required"`
-	AccountKey    string `envconfig:"ATHENS_AZURE_ACCOUNT_KEY"    validate:"required"`
-	ContainerName string `envconfig:"ATHENS_AZURE_CONTAINER_NAME" validate:"required"`
+	AccountName               string `envconfig:"ATHENS_AZURE_ACCOUNT_NAME"                 validate:"required"`
+	AccountKey                string `envconfig:"ATHENS_AZURE_ACCOUNT_KEY"`
+	ManagedIdentityResourceID string `envconfig:"ATHENS_AZURE_MANAGED_IDENTITY_RESOURCE_ID"`
+	StorageResource           string `envconfig:"ATHENS_AZURE_STORAGE_RESOURCE"`
+	ContainerName             string `envconfig:"ATHENS_AZURE_CONTAINER_NAME"               validate:"required"`
 }

pkg/config/config_test.go

@@ -235,9 +235,11 @@ func TestParseExampleConfig(t *testing.T) {
 			Bucket: "MY_S3_BUCKET_NAME",
 		},
 		AzureBlob: &AzureBlobConfig{
-			AccountName:   "MY_AZURE_BLOB_ACCOUNT_NAME",
-			AccountKey:    "MY_AZURE_BLOB_ACCOUNT_KEY",
-			ContainerName: "MY_AZURE_BLOB_CONTAINER_NAME",
+			AccountName:               "MY_AZURE_BLOB_ACCOUNT_NAME",
+			AccountKey:                "MY_AZURE_BLOB_ACCOUNT_KEY",
+			ManagedIdentityResourceID: "MY_AZURE_MANAGED_IDENTITY_RESOURCE_ID",
+			StorageResource:           "MY_AZURE_STORAGE_RESOURCE",
+			ContainerName:             "MY_AZURE_BLOB_CONTAINER_NAME",
 		},
 		External: &External{URL: ""},
 	}

pkg/stash/with_azureblob.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/Azure/azure-storage-blob-go/azblob"
+	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/gomods/athens/pkg/config"
 	"github.com/gomods/athens/pkg/errors"
 	"github.com/gomods/athens/pkg/observ"
@@ -21,13 +22,30 @@ import (
 func WithAzureBlobLock(conf *config.AzureBlobConfig, timeout time.Duration, checker storage.Checker) (Wrapper, error) {
 	const op errors.Op = "stash.WithAzureBlobLock"
 
+	if conf.AccountKey == "" && (conf.ManagedIdentityResourceID == "" || conf.StorageResource == "") {
+		return nil, errors.E(op, "either account key or managed identity resource id and storage resource must be set")
+	}
 	accountURL, err := url.Parse(fmt.Sprintf("https://%s.blob.core.windows.net", conf.AccountName))
 	if err != nil {
 		return nil, errors.E(op, err)
 	}
-	cred, err := azblob.NewSharedKeyCredential(conf.AccountName, conf.AccountKey)
-	if err != nil {
-		return nil, errors.E(op, err)
+	var cred azblob.Credential
+	if conf.AccountKey != "" {
+		cred, err = azblob.NewSharedKeyCredential(conf.AccountName, conf.AccountKey)
+		if err != nil {
+			return nil, errors.E(op, err)
+		}
+	}
+	if conf.ManagedIdentityResourceID != "" {
+		spStorageToken, err := adal.NewServicePrincipalTokenFromManagedIdentity(conf.StorageResource, &adal.ManagedIdentityOptions{IdentityResourceID: conf.ManagedIdentityResourceID})
+		if err != nil {
+			return nil, errors.E(op, err)
+		}
+		err = spStorageToken.Refresh()
+		if err != nil {
+			return nil, errors.E(op, err)
+		}
+		cred = azblob.NewTokenCredential(spStorageToken.OAuthToken(), nil)
 	}
 	pipe := azblob.NewPipeline(cred, azblob.PipelineOptions{})
 	serviceURL := azblob.NewServiceURL(*accountURL, pipe)

pkg/stash/with_azureblob_test.go

@@ -86,7 +86,9 @@ func (ms *mockAzureBlobStasher) Stash(ctx context.Context, mod, ver string) (str
 
 func getAzureTestConfig(containerName string) *config.AzureBlobConfig {
 	key := os.Getenv("ATHENS_AZURE_ACCOUNT_KEY")
-	if key == "" {
+	resourceId := os.Getenv("ATHENS_AZURE_MANAGED_IDENTITY_RESOURCE_ID")
+	storageResource := os.Getenv("ATHENS_AZURE_STORAGE_RESOURCE")
+	if key == "" && (resourceId == "" || storageResource == "") {
 		return nil
 	}
 	name := os.Getenv("ATHENS_AZURE_ACCOUNT_NAME")
@@ -94,9 +96,11 @@ func getAzureTestConfig(containerName string) *config.AzureBlobConfig {
 		return nil
 	}
 	return &config.AzureBlobConfig{
-		AccountName:   name,
-		AccountKey:    key,
-		ContainerName: containerName,
+		AccountName:               name,
+		AccountKey:                key,
+		ManagedIdentityResourceID: resourceId,
+		StorageResource:           storageResource,
+		ContainerName:             containerName,
 	}
 }
 

pkg/storage/azureblob/azureblob_test.go

@@ -70,7 +70,9 @@ func getStorage(t testing.TB) *Storage {
 
 func getTestConfig(containerName string) *config.AzureBlobConfig {
 	key := os.Getenv("ATHENS_AZURE_ACCOUNT_KEY")
-	if key == "" {
+	resourceId := os.Getenv("ATHENS_AZURE_MANAGED_IDENTITY_RESOURCE_ID")
+	storageResource := os.Getenv("ATHENS_AZURE_STORAGE_RESOURCE")
+	if key == "" && (resourceId == "" || storageResource == "") {
 		return nil
 	}
 	name := os.Getenv("ATHENS_AZURE_ACCOUNT_NAME")
@@ -78,9 +80,11 @@ func getTestConfig(containerName string) *config.AzureBlobConfig {
 		return nil
 	}
 	return &config.AzureBlobConfig{
-		AccountName:   name,
-		AccountKey:    key,
-		ContainerName: containerName,
+		AccountName:               name,
+		AccountKey:                key,
+		ManagedIdentityResourceID: resourceId,
+		StorageResource:           storageResource,
+		ContainerName:             containerName,
 	}
 }