Upgrade Azure Storage Blob Client and Support OAuth2 for Storage Account #27
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
December 14, 2018 09:31
… to MSI-based oauth token, as I feel it's a security risk to store secret in a file and look for similar experience of fluentd-s3, which relies on instance profile to auth s3 buckets. Changes involved: Upgrade Azure SDK to azure-blob-client 1.1.0. At the time of write Azure SDK is divided into submodules and distributed separately. Blob client is the only one needed here. Introduce new config params azure_instance_msi and azure_oauth_refresh_interval to support OAuth, details is added in Authentication section in readme. Change config param auto_create_container to false, now Azure by default makes container private, returns 404 for get_properties, and invalidates ensure_container(). Hence users need to adjust the properties of their account if they'd like to enable creation. Making default value to false to enforce user to be aware of this fact.
incompatible 1.0.1 from azure-storage-blob dependency settings. 2. Fix refresh token function.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
This originally for my own use case but might be useful to merge it back. Please contact me if further discussion is needed.
The change is mainly migrating authentication method from storage key to MSI-based oauth token, as I feel it's a security risk to store secret in a file and look for similar experience of fluentd-s3, which relies on instance profile to auth s3 buckets.
Changes involved:
Upgrade Azure SDK to azure-blob-client 1.1.0. At the time of write Azure SDK is divided into submodules and distributed separately. Blob client is the only one needed here.
Introduce new config params azure_instance_msi and azure_oauth_refresh_interval to support OAuth, details is added in Authentication section in readme.
Change config param auto_create_container to false, now Azure by default makes container private, returns 404 for get_properties, and invalidates ensure_container(). Hence users need to adjust the properties of their account if they'd like to enable creation. Making default value to false to enforce user to be aware of this fact.