Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD Workload Identity authentication support #38

Merged
merged 5 commits into from
Sep 22, 2023
Merged

Azure AD Workload Identity authentication support #38

merged 5 commits into from
Sep 22, 2023

Conversation

kostrse
Copy link
Collaborator

@kostrse kostrse commented Sep 12, 2023
edited

This PR adds support for Azure AD Workload Identity which is used for access to AAD service identities in Kubernetes.

This allows users who host Grafana in Kubernetes be able to use Workload Identities as alternative to Managed Identities which are not directly accessible by pods in Kubernetes.

Details on Azure AD Workload Identity:

The newly introduced credentials type is AzureWorkloadIdentityCredentials.

Intended to be serialized in datasource JSON as:

{
    "azureCredentials" {
        "authType": "workloadidentity"
    }
}

The credentials object doesn't provide any configuration options on the datasource side, but on the level it will be possible to override Tenant ID, Client ID, and Token File path.

Proposed configuration settings in Grafana config (not part of this PR):

[azure]
workload_identity_enabled = true

# These settings override default Workload Identity and normally not required
workload_identity_tenant_id =
workload_identity_client_id =
workload_identity_token_file =

aangelisc
aangelisc reviewed Sep 13, 2023
View reviewed changes
azcredentials/credentials.go Outdated Show resolved Hide resolved
aztokenprovider/retriever_wi.go Outdated Show resolved Hide resolved
@kostrse kostrse marked this pull request as ready for review September 22, 2023 10:54
@kostrse kostrse requested a review from a team as a code owner September 22, 2023 10:54
aangelisc
aangelisc approved these changes Sep 22, 2023
View reviewed changes
Copy link
Contributor

@aangelisc aangelisc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉

@aangelisc aangelisc merged commit d0621e6 into grafana:main Sep 22, 2023
1 check passed
@kostrse kostrse deleted the workload-identity-support branch September 22, 2023 19:39
@kostrse kostrse mentioned this pull request Sep 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aangelisc aangelisc aangelisc approved these changes

@asimpson asimpson Awaiting requested review from asimpson asimpson is a code owner automatically assigned from grafana/partner-datasources

@bossinc bossinc Awaiting requested review from bossinc bossinc is a code owner automatically assigned from grafana/partner-datasources

@adamyeats adamyeats Awaiting requested review from adamyeats adamyeats is a code owner automatically assigned from grafana/partner-datasources

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kostrse @aangelisc