Skip to content

feat(providers) : Add support Azure AD token credentials and optional Azure CLI cached credential #4797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Marcel-MTL wants to merge 10 commits into
base: master
Choose a base branch
from
Open

feat(providers) : Add support Azure AD token credentials and optional Azure CLI cached credential #4797

Marcel-MTL wants to merge 10 commits into from

Conversation

@Marcel-MTL
Copy link

@Marcel-MTL Marcel-MTL commented Sep 3, 2025

Summary

Allow Kopia to authenticate to Azure Blob Storage using Azure AD token credentials when no storage key or SAS token is provided. Add an option to explicitly use the Azure CLI token cache (e.g. az login or az login --identity) as a credential source.

This change enables workflows where Azure AD (Managed Identity, Service Principal, or CLI) is preferred over embedding storage keys or SAS tokens.

Key changes

  • Options / API

    • repo/blob/azure/Options: add UseAzureCLICredential bool to allow forcing the use of the Azure CLI token cache.

  • Authentication

    • repo/blob/azure/azure_storage.go:

      • If no StorageKey / SASToken / ClientSecret / ClientCertificate / AzureFederatedTokenFile is supplied, Kopia will attempt Azure AD token-based authentication.
      • If UseAzureCLICredential == true → use azidentity.NewAzureCLICredential() (reads tokens from the Azure CLI cache).
      • Otherwise → use azidentity.NewDefaultAzureCredential() (fallback chain: env → managed identity → CLI → ...).

  • CLI

    • cli/storage_azure.go: add CLI flag --azure-use-cli-credential (env AZURE_USE_CLI_CREDENTIAL) to wire this option from the CLI.

  • Tests

    • repo/blob/azure/azure_storage_test.go:

      • add KOPIA_AZURE_USE_CLI_CREDENTIAL constant for integration testing.
      • add TestAzureCLICredential integration test (skipped unless KOPIA_PROVIDER_TEST=1 and KOPIA_AZURE_USE_CLI_CREDENTIAL evaluates to true).
      • add inline documentation explaining how to run provider (integration) tests.

Existing authentication flows (SAS, Shared Key, Client Secret, Client Certificate, Workload Identity) remain unchanged.

Why this change?

  • Avoids requiring storage keys or SAS tokens in environments where Azure AD authentication is preferable (e.g. VMs with Managed Identity, CI using service principal).
  • Supports developer workflows by allowing reuse of az login tokens (local) and az login --identity (VM with Managed Identity).
  • Preserves backward compatibility: when a storage key or SAS token is provided, existing behavior is preserved.

How to test (examples)

Important: run these tests against a dedicated test account/container, not production.

Build

go build ./...

Integration test: Azure CLI credential flow

# Enable provider tests
export KOPIA_PROVIDER_TEST=1

# Minimal env values
export KOPIA_AZURE_TEST_CONTAINER="my-test-container"
export KOPIA_AZURE_TEST_STORAGE_ACCOUNT="mystorageacct"

# Enable CLI credential test (accepted values: 1/0)
export KOPIA_AZURE_USE_CLI_CREDENTIAL=1

# Ensure the Azure CLI token cache is present:
# local dev:
az login
# or on an Azure VM with Managed Identity:
az login --identity

# Run the specific test
go test ./repo/blob/azure -run TestAzureCLICredential -v

Integration test: DefaultAzureCredential (managed identity / environment)

export KOPIA_PROVIDER_TEST=1
# Do NOT set KOPIA_AZURE_USE_CLI_CREDENTIAL (or set it to 0)
# Provide other envs as needed for DefaultAzureCredential to resolve (tenant/client or rely on MI)
go test ./repo/blob/azure -run TestAzureFederatedIdentity -v

edallard added 3 commits September 3, 2025 16:39
Note:
fc33b9b 
add azure Manage Identity
azure: support Azure AD token credential and optional Azure CLI cache…
d46f9f9 
…d credential

- Add Options.UseAzureCLICredential (bool) to repo/blob/azure/Options.
  This allows forcing the use of Azure CLI cached credential (azidentity.AzureCLICredential),
  which reads the token cache created by `az login` or `az login --identity`.

- Implement Azure AD token credential flow in repo/blob/azure/azure_storage.go:
  * If no SAS / storage key / client secret / client certificate / federated token is provided,
    Kopia will try Azure AD token credentials.
  * If UseAzureCLICredential == true -> use azidentity.NewAzureCLICredential()
  * Otherwise -> use azidentity.NewDefaultAzureCredential() (env -> managed identity -> CLI -> ...)

- Add CLI flag wiring in cli/storage_azure.go:
  * --azure-use-cli-credential (env: AZURE_USE_CLI_CREDENTIAL) mapped to Options.UseAzureCLICredential

- Update tests in repo/blob/azure/azure_storage_test.go:
  * Add const for test env KOPIA_AZURE_USE_CLI_CREDENTIAL
  * Add TestAzureCLICredential integration test (skipped unless KOPIA_PROVIDER_TEST and the boolean env var)
  * Add detailed inline documentation on how to run provider tests
  * Accept boolean-like values for KOPIA_AZURE_USE_CLI_CREDENTIAL ("1","0","true","false", ...)

Notes:
- Existing auth flows (SAS, shared key, client secret, client certificate, workload identity) are unchanged.
- When authenticating via Azure AD the principal must have RBAC permissions (e.g. Storage Blob Data Contributor).
debug arguments in call to cmd.Flag
24a2b2a
@Marcel-MTL Marcel-MTL marked this pull request as ready for review September 4, 2025 15:40
@Marcel-MTL Marcel-MTL changed the title azure: support Azure AD token credentials and optional Azure CLI cached credential azure: Add support Azure AD token credentials and optional Azure CLI cached credential Sep 15, 2025
@Marcel-MTL Marcel-MTL changed the title azure: Add support Azure AD token credentials and optional Azure CLI cached credential feat(providers) : Add support Azure AD token credentials and optional Azure CLI cached credential Sep 15, 2025
julio-lopez
julio-lopez requested changes Sep 18, 2025
View reviewed changes
repo/blob/azure/azure_storage.go
}
cred = cliCred
} else {
// Use DefaultAzureCredential as a safe default (env -> managed identity -> CLI -> ...).
Copy link
Collaborator

@julio-lopez julio-lopez Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarify comment, this is confusing:

(env -> managed identity -> CLI -> ...).

Copy link
Author

@Marcel-MTL Marcel-MTL Oct 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

// Use DefaultAzureCredential, which attempts multiple authentication methods in order:
// environment variables → managed identity → Azure CLI → others.
// See: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential

@julio-lopez
Copy link
Collaborator

julio-lopez commented Sep 18, 2025

@alisonb-veeam @ryanmt PTAL

@julio-lopez julio-lopez requested a review from Copilot September 18, 2025 23:35
Copilot AI reviewed Sep 18, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds Azure AD token-based authentication support to Kopia's Azure Blob Storage provider, enabling authentication via Azure CLI cached credentials or DefaultAzureCredential when storage keys/SAS tokens are not provided.

Key changes:

  • Add UseAzureCLICredential option to force usage of Azure CLI token cache
  • Implement fallback Azure AD authentication when no explicit credentials are provided
  • Add CLI flag --azure-use-cli-credential for the new authentication option

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
repo/blob/azure/azure_options.go Adds UseAzureCLICredential field to Options struct
repo/blob/azure/azure_storage.go Implements Azure AD token credential authentication logic with CLI and default credential support
cli/storage_azure.go Adds CLI flag for Azure CLI credential option
repo/blob/azure/azure_storage_test.go Adds integration test for Azure CLI credential authentication

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@codecov
Copy link

codecov bot commented Sep 18, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.38%. Comparing base (cb455c6) to head (df0ff36).
⚠️ Report is 661 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4797      +/-   ##
==========================================
+ Coverage   75.86%   76.38%   +0.51%     
==========================================
  Files         470      530      +60     
  Lines       37301    40446    +3145     
==========================================
+ Hits        28299    30895    +2596     
- Misses       7071     7507     +436     
- Partials     1931     2044     +113

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Marcel-MTL and others added 4 commits October 14, 2025 11:29
@Marcel-MTL
Update storage_azure.go
80a1e67 
Reformatted line to comply with length limit and maintain readability.
@Marcel-MTL
Update azure_storage.go
e4ab487 
debug short for "whitespace lint"
@Marcel-MTL
Merge branch 'kopia:master' into add_Azure_CLI_Managed_Identity
d7247be
@Marcel-MTL @julio-lopez
Apply suggestions from code review
f31d13b 
Co-authored-by: Julio Lopez <[email protected]>
Co-authored-by: Copilot <[email protected]>
Marcel-MTL
Marcel-MTL commented Oct 14, 2025
View reviewed changes
Copy link
Author

@Marcel-MTL Marcel-MTL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the improvements! I’ve addressed the minor style and linting issues (long lines, redundant comments, and whitespace rules). The logic is clear and the credential fallback is well handled.

repo/blob/azure/azure_storage.go
}
cred = cliCred
} else {
// Use DefaultAzureCredential as a safe default (env -> managed identity -> CLI -> ...).
Copy link
Author

@Marcel-MTL Marcel-MTL Oct 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

// Use DefaultAzureCredential, which attempts multiple authentication methods in order:
// environment variables → managed identity → Azure CLI → others.
// See: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pavannd1 pavannd1 Awaiting requested review from pavannd1

@andrason andrason Awaiting requested review from andrason

@Rohit-BM18 Rohit-BM18 Awaiting requested review from Rohit-BM18

@julio-lopez julio-lopez Awaiting requested review from julio-lopez

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marcel-MTL @julio-lopez