fix(azdls): load Azure credentials from environment variables#7225
Closed
rohankmr414 wants to merge 1 commit intoapache:mainfrom
Closed
fix(azdls): load Azure credentials from environment variables#7225rohankmr414 wants to merge 1 commit intoapache:mainfrom
rohankmr414 wants to merge 1 commit intoapache:mainfrom
Conversation
The azdls backend was not calling `AzureStorageConfig::default().from_env()` unlike the azblob backend, which meant Azure Workload Identity environment variables (AZURE_FEDERATED_TOKEN_FILE, AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_AUTHORITY_HOST) were never loaded. This caused reqsign to skip the workload identity credential provider and fall through to IMDS, which fails in non-Azure-VM environments like AKS with Workload Identity. This patch matches the pattern used in the azblob backend: start with `from_env()` and then overlay any explicitly configured values.
dosubot
bot
added
size:M
Member
|
Oh, sorry I missed this PR. #7226 should cover it. |
Member
|
#7226 has been merged. I'm going to close this PR now, we will have this in our next release. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The azdls backend was not calling
AzureStorageConfig::default().from_env()unlike the azblob backend, which meant Azure Workload Identity environment variables (AZURE_FEDERATED_TOKEN_FILE, AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_AUTHORITY_HOST) were never loaded. This caused reqsign to skip the workload identity credential provider and fall through to IMDS, which fails in non-Azure-VM environments like AKS with Workload Identity.This patch matches the pattern used in the azblob backend: start with
from_env()and then overlay any explicitly configured values.Which issue does this PR close?
Closes #7224.
Rationale for this change
The azdls backend was not loading Azure credentials from environment variables, unlike the azblob backend. Specifically, it was not calling
AzureStorageConfig::default().from_env(), which meant Azure Workload Identity environment variables (AZURE_FEDERATED_TOKEN_FILE,AZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_AUTHORITY_HOST) were never loaded.This caused reqsign to skip the workload identity credential provider and fall through to IMDS (Instance Metadata Service), which fails in non-Azure-VM environments like AKS (Azure Kubernetes Service) with Workload Identity enabled.
Note: We have been running this fix in an internal fork and can confirm it resolves the authentication issues in AKS with Workload Identity.
What changes are included in this PR?
AzdlsBuilder::build()to useAzureStorageConfig::default().from_env()on non-wasm32 targets before overlaying explicitly configured valuesAre there any user-facing changes?
Yes - This is a bug fix that enables Azure Workload Identity authentication for the azdls backend.
Users running OpenDAL in Azure Kubernetes Service (AKS) with Workload Identity can now authenticate to Azure Data Lake Storage Gen2 using federated credentials without needing to explicitly configure credentials in code. The backend will automatically pick up the following environment variables:
AZURE_FEDERATED_TOKEN_FILEAZURE_CLIENT_IDAZURE_TENANT_IDAZURE_AUTHORITY_HOSTThis change is backward compatible - explicitly configured credentials still take precedence over environment variables.
AI Usage Statement
Augment Agent (Claude Sonnet 4.5) was used to help during implementation and resolve merge conflicts during rebase.