diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 442011c62e..413076e929 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -2925,7 +2925,7 @@ azuread: # The Azure Cloud. Options are 'AzurePublic', 'AzureChina', or 'AzureGovernment'. [ cloud: | default = AzurePublic ] - # Azure User-assigned Managed identity. + # Azure Managed Identity. Leave 'client_id' blank to use the default managed identity. [ managed_identity: [ client_id: ] ] diff --git a/storage/remote/azuread/azuread.go b/storage/remote/azuread/azuread.go index f06b57c8c4..1b577a56bc 100644 --- a/storage/remote/azuread/azuread.go +++ b/storage/remote/azuread/azuread.go @@ -128,13 +128,11 @@ func (c *AzureADConfig) Validate() error { } if c.ManagedIdentity != nil { - if c.ManagedIdentity.ClientID == "" { - return errors.New("must provide an Azure Managed Identity client_id in the Azure AD config") - } - - _, err := uuid.Parse(c.ManagedIdentity.ClientID) - if err != nil { - return errors.New("the provided Azure Managed Identity client_id is invalid") + if c.ManagedIdentity.ClientID != "" { + _, err := uuid.Parse(c.ManagedIdentity.ClientID) + if err != nil { + return errors.New("the provided Azure Managed Identity client_id is invalid") + } } } @@ -268,8 +266,13 @@ func newTokenCredential(cfg *AzureADConfig) (azcore.TokenCredential, error) { // newManagedIdentityTokenCredential returns new Managed Identity token credential. func newManagedIdentityTokenCredential(clientOpts *azcore.ClientOptions, managedIdentityConfig *ManagedIdentityConfig) (azcore.TokenCredential, error) { - clientID := azidentity.ClientID(managedIdentityConfig.ClientID) - opts := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: *clientOpts, ID: clientID} + var opts *azidentity.ManagedIdentityCredentialOptions + if managedIdentityConfig.ClientID != "" { + clientID := azidentity.ClientID(managedIdentityConfig.ClientID) + opts = &azidentity.ManagedIdentityCredentialOptions{ClientOptions: *clientOpts, ID: clientID} + } else { + opts = &azidentity.ManagedIdentityCredentialOptions{ClientOptions: *clientOpts} + } return azidentity.NewManagedIdentityCredential(opts) } diff --git a/storage/remote/azuread/azuread_test.go b/storage/remote/azuread/azuread_test.go index 08870382ec..37931800f1 100644 --- a/storage/remote/azuread/azuread_test.go +++ b/storage/remote/azuread/azuread_test.go @@ -142,7 +142,7 @@ func TestAzureAdConfig(t *testing.T) { filename string err string }{ - // Missing managedidentiy or oauth field. + // Missing managedidentity or oauth field. { filename: "testdata/azuread_bad_configmissing.yaml", err: "must provide an Azure Managed Identity, Azure OAuth or Azure SDK in the Azure AD config", @@ -171,9 +171,13 @@ func TestAzureAdConfig(t *testing.T) { { filename: "testdata/azuread_good_cloudmissing.yaml", }, - // Valid managed identity config. + // Valid specific managed identity config. { - filename: "testdata/azuread_good_managedidentity.yaml", + filename: "testdata/azuread_good_specificmanagedidentity.yaml", + }, + // Valid default managed identity config. + { + filename: "testdata/azuread_good_defaultmanagedidentity.yaml", }, // Valid Oauth config. { diff --git a/storage/remote/azuread/testdata/azuread_good_defaultmanagedidentity.yaml b/storage/remote/azuread/testdata/azuread_good_defaultmanagedidentity.yaml new file mode 100644 index 0000000000..9f1bb73a9f --- /dev/null +++ b/storage/remote/azuread/testdata/azuread_good_defaultmanagedidentity.yaml @@ -0,0 +1,3 @@ +cloud: AzurePublic +managed_identity: + client_id: diff --git a/storage/remote/azuread/testdata/azuread_good_managedidentity.yaml b/storage/remote/azuread/testdata/azuread_good_specificmanagedidentity.yaml similarity index 100% rename from storage/remote/azuread/testdata/azuread_good_managedidentity.yaml rename to storage/remote/azuread/testdata/azuread_good_specificmanagedidentity.yaml