upstream/prometheus
1
0
Fork 0
mirror of https://github.com/prometheus/prometheus.git synced 2026-02-03 20:39:32 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

feat: add support for Azure Workload Identity authentication method for Azure discovery [#16634]

Browse source 
This PR adds support for the Azure Workload Identity authentication method for Azure Discovery. It allows Prometheus running in AKS clusters to discover VMs by
using Workload Identity authentication.

Signed-off-by: thomas-gouveia <thomas.gouveia@contentsquare.com>
This commit is contained in:
thomas-gouveia 2025-09-17 15:56:07 +02:00
parent 7416f33df5
commit 3e28742474
No known key found for this signature in database
GPG key ID: E595989799DF44B6
2 changed files with 14 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/config_test.go
View file

@ -2340,7 +2340,7 @@ var expectedErrors = []struct {
},
{
filename: "azure_authentication_method.bad.yml",
errMsg: "unknown authentication_type \"invalid\". Supported types are \"OAuth\", \"ManagedIdentity\" or \"SDK\"",
errMsg: "unknown authentication_type \"invalid\". Supported types are \"OAuth\", \"ManagedIdentity\", \"SDK\" or \"WorkloadIdentity\"",
},
{
filename: "azure_bearertoken_basicauth.bad.yml",

18
discovery/azure/azure.go
View file

@ -64,9 +64,10 @@ const (
azureLabelMachineScaleSet = azureLabel + "machine_scale_set"
azureLabelMachineSize = azureLabel + "machine_size"
authMethodOAuth = "OAuth"
authMethodSDK = "SDK"
authMethodManagedIdentity = "ManagedIdentity"
authMethodOAuth = "OAuth"
authMethodSDK = "SDK"
authMethodManagedIdentity = "ManagedIdentity"
authMethodWorkloadIdentity = "WorkloadIdentity"
)
// DefaultSDConfig is the default Azure SD configuration.
@ -161,8 +162,8 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(any) error) error {
}
}
if c.AuthenticationMethod != authMethodOAuth && c.AuthenticationMethod != authMethodManagedIdentity && c.AuthenticationMethod != authMethodSDK {
return fmt.Errorf("unknown authentication_type %q. Supported types are %q, %q or %q", c.AuthenticationMethod, authMethodOAuth, authMethodManagedIdentity, authMethodSDK)
if c.AuthenticationMethod != authMethodOAuth && c.AuthenticationMethod != authMethodManagedIdentity && c.AuthenticationMethod != authMethodSDK && c.AuthenticationMethod != authMethodWorkloadIdentity {
return fmt.Errorf("unknown authentication_type %q. Supported types are %q, %q, %q or %q", c.AuthenticationMethod, authMethodOAuth, authMethodManagedIdentity, authMethodSDK, authMethodWorkloadIdentity)
}
return c.HTTPClientConfig.Validate()
@ -288,6 +289,13 @@ func (d *Discovery) createAzureClient() (client, error) {
func newCredential(cfg SDConfig, policyClientOptions policy.ClientOptions) (azcore.TokenCredential, error) {
var credential azcore.TokenCredential
switch cfg.AuthenticationMethod {
case authMethodWorkloadIdentity:
options := &azidentity.WorkloadIdentityCredentialOptions{ClientOptions: policyClientOptions}
workloadIdentityCredential, err := azidentity.NewWorkloadIdentityCredential(options)
if err != nil {
return nil, err
}
credential = azcore.TokenCredential(workloadIdentityCredential)
case authMethodManagedIdentity:
options := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: policyClientOptions, ID: azidentity.ClientID(cfg.ClientID)}
managedIdentityCredential, err := azidentity.NewManagedIdentityCredential(options)