remote_write azure auth : allow empty client_id to suppport system assigned managed identity (#16421)

* squash (#1)

* remote-write: allow empty azure client_id to support system assigned managed identity

* add blank line for tests

* remote-write: allow empty azure client_id to support system assigned managed identity

Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>

* add blank line for tests

Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>

---------

Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>

* treat empty client_id as system-assigned identity; this is a valid case

Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>

* rename file 

Signed-off-by: bragi92 <kadubey@microsoft.com>

---------

Signed-off-by: Kaveesh Dubey <kadubey@microsoft.com>
Signed-off-by: bragi92 <kadubey@microsoft.com>

docs/configuration/configuration.md

@@ -2925,7 +2925,7 @@ azuread:
   # The Azure Cloud. Options are 'AzurePublic', 'AzureChina', or 'AzureGovernment'.
   [ cloud: <string> | default = AzurePublic ]
 
-  # Azure User-assigned Managed identity.
+  # Azure Managed Identity.  Leave 'client_id' blank to use the default managed identity.
   [ managed_identity:
       [ client_id: <string> ] ]
 

storage/remote/azuread/azuread.go

@@ -128,13 +128,11 @@ func (c *AzureADConfig) Validate() error {
 	}
 
 	if c.ManagedIdentity != nil {
-		if c.ManagedIdentity.ClientID == "" {
+		if c.ManagedIdentity.ClientID != "" {
-			return errors.New("must provide an Azure Managed Identity client_id in the Azure AD config")
+			_, err := uuid.Parse(c.ManagedIdentity.ClientID)
-		}
+			if err != nil {
-
+				return errors.New("the provided Azure Managed Identity client_id is invalid")
-		_, err := uuid.Parse(c.ManagedIdentity.ClientID)
+			}
-		if err != nil {
-			return errors.New("the provided Azure Managed Identity client_id is invalid")
 		}
 	}
 
@@ -268,8 +266,13 @@ func newTokenCredential(cfg *AzureADConfig) (azcore.TokenCredential, error) {
 
 // newManagedIdentityTokenCredential returns new Managed Identity token credential.
 func newManagedIdentityTokenCredential(clientOpts *azcore.ClientOptions, managedIdentityConfig *ManagedIdentityConfig) (azcore.TokenCredential, error) {
-	clientID := azidentity.ClientID(managedIdentityConfig.ClientID)
+	var opts *azidentity.ManagedIdentityCredentialOptions
-	opts := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: *clientOpts, ID: clientID}
+	if managedIdentityConfig.ClientID != "" {
+		clientID := azidentity.ClientID(managedIdentityConfig.ClientID)
+		opts = &azidentity.ManagedIdentityCredentialOptions{ClientOptions: *clientOpts, ID: clientID}
+	} else {
+		opts = &azidentity.ManagedIdentityCredentialOptions{ClientOptions: *clientOpts}
+	}
 	return azidentity.NewManagedIdentityCredential(opts)
 }
 

storage/remote/azuread/azuread_test.go

@@ -142,7 +142,7 @@ func TestAzureAdConfig(t *testing.T) {
 		filename string
 		err      string
 	}{
-		// Missing managedidentiy or oauth field.
+		// Missing managedidentity or oauth field.
 		{
 			filename: "testdata/azuread_bad_configmissing.yaml",
 			err:      "must provide an Azure Managed Identity, Azure OAuth or Azure SDK in the Azure AD config",
@@ -171,9 +171,13 @@ func TestAzureAdConfig(t *testing.T) {
 		{
 			filename: "testdata/azuread_good_cloudmissing.yaml",
 		},
-		// Valid managed identity config.
+		// Valid specific managed identity config.
 		{
-			filename: "testdata/azuread_good_managedidentity.yaml",
+			filename: "testdata/azuread_good_specificmanagedidentity.yaml",
+		},
+		// Valid default managed identity config.
+		{
+			filename: "testdata/azuread_good_defaultmanagedidentity.yaml",
 		},
 		// Valid Oauth config.
 		{

storage/remote/azuread/testdata/azuread_good_defaultmanagedidentity.yaml

@@ -0,0 +1,3 @@
+cloud: AzurePublic
+managed_identity:
+  client_id: