tier: Add support of SP credentials with Azure (#18630)

Co-authored-by: Anis Elleuch <anis@min.io>
2025-11-07 12:52:58 -05:00 · 2023-12-11 21:51:53 -08:00
parent 5fe7f9fa93
commit 4a21dce2b5
3 changed files with 67 additions and 9 deletions
--- a/cmd/warm-backend-azure.go
+++ b/cmd/warm-backend-azure.go
@@ -26,8 +26,11 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"

 	"github.com/Azure/azure-storage-blob-go/azblob"
+	"github.com/Azure/go-autorest/autorest/adal"
+	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/minio/madmin-go/v3"
 )

@@ -108,8 +111,53 @@ func (az *warmBackendAzure) InUse(ctx context.Context) (bool, error) {
 	return false, nil
 }

+func newCredentialFromSP(conf madmin.TierAzure) (azblob.Credential, error) {
+	oauthConfig, err := adal.NewOAuthConfig(azure.PublicCloud.ActiveDirectoryEndpoint, conf.SPAuth.TenantID)
+	if err != nil {
+		return nil, err
+	}
+	spt, err := adal.NewServicePrincipalToken(*oauthConfig, conf.SPAuth.ClientID, conf.SPAuth.ClientSecret, azure.PublicCloud.ResourceIdentifiers.Storage)
+	if err != nil {
+		return nil, err
+	}
+
+	// Refresh obtains a fresh token
+	err = spt.Refresh()
+	if err != nil {
+		return nil, err
+	}
+
+	tc := azblob.NewTokenCredential(spt.Token().AccessToken, func(tc azblob.TokenCredential) time.Duration {
+		err := spt.Refresh()
+		if err != nil {
+			return 0
+		}
+		// set the new token value
+		tc.SetToken(spt.Token().AccessToken)
+
+		// get the next token before the current one expires
+		nextRenewal := float64(time.Until(spt.Token().Expires())) * 0.8
+		if nextRenewal <= 0 {
+			nextRenewal = float64(time.Second)
+		}
+
+		return time.Duration(nextRenewal)
+	})
+
+	return tc, nil
+}
+
 func newWarmBackendAzure(conf madmin.TierAzure, _ string) (*warmBackendAzure, error) {
-	credential, err := azblob.NewSharedKeyCredential(conf.AccountName, conf.AccountKey)
+	var (
+		credential azblob.Credential
+		err        error
+	)
+
+	if conf.IsSPEnabled() {
+		credential, err = newCredentialFromSP(conf)
+	} else {
+		credential, err = azblob.NewSharedKeyCredential(conf.AccountName, conf.AccountKey)
+	}
 	if err != nil {
 		if _, ok := err.(base64.CorruptInputError); ok {
 			return nil, errors.New("invalid Azure credentials")