[receiver/azuremonitor] Add support for azureauthextension (open-telemetry#39658)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

Add support for extension `azureauth` for authentication.

<!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
Fixes open-telemetry#39048.

<!--Describe what testing was performed and which tests were added.-->
#### Testing

Unit tests added.

<!--Describe the documentation added.-->
#### Documentation

README updated.

<!--Please delete paragraphs that you did not use before submitting.-->

---------

Co-authored-by: Célian GARCIA <[email protected]>
Co-authored-by: Edmo Vamerlatti Costa <[email protected]>

Author: 3 people

.chloggen/azuremonitor-authextension.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: azuremonitorreceiver
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for azureauthextension as a token provider for azuremonitorreceiver.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [39048]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]

receiver/azuremonitorreceiver/README.md

@@ -24,7 +24,8 @@ The following settings are required:
 
 The following settings are optional:
 
-- `credentials` (default = service_principal): Specifies the used authentication method. Supported values are `service_principal`, `workload_identity`, `managed_identity`, `default_credentials`.
+- `auth.authenticator`: Specifies the component ID to use to authenticate requests to Azure API. Use [azureauth extension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/azureauthextension).
+- `credentials` (Deprecated [v0.126.0]: use `auth` instead)(default = service_principal): Specifies the used authentication method. Supported values are `service_principal`, `workload_identity`, `managed_identity`, `default_credentials`.
 - `resource_groups` (default = none): Filter metrics for specific resource groups, not setting a value will scrape metrics for all resources in the subscription.
 - `services` (default = none): Filter metrics for specific services, not setting a value will scrape metrics for all services integrated with Azure Monitor.
 - `metrics` (default = none): Filter metrics by name and aggregations. Not setting a value will scrape all metrics and their aggregations.
@@ -148,6 +149,21 @@ receivers:
     credentials: "default_credentials"
 ```
 
+[Using `azureauthextension`](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/azureauthextension#azure-authenticator-extension) for authentication:
+
+```yaml
+receivers:
+  azuremonitor:
+    subscription_ids: ["${subscription_id}"]
+    auth:
+      authenticator: azureauth
+
+extensions:
+  azureauth:
+    managed_identity:
+      client_id: ${client_id}
+```
+
 Overriding dimensions for a particular metric:
 
 ```yaml

receiver/azuremonitorreceiver/config.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 
+	"go.opentelemetry.io/collector/component"
 	"go.opentelemetry.io/collector/scraper/scraperhelper"
 	"go.uber.org/multierr"
 
@@ -242,11 +243,7 @@ type Config struct {
 	Cloud                             string                        `mapstructure:"cloud"`
 	SubscriptionIDs                   []string                      `mapstructure:"subscription_ids"`
 	DiscoverSubscriptions             bool                          `mapstructure:"discover_subscriptions"`
-	Credentials                       string                        `mapstructure:"credentials"`
 	TenantID                          string                        `mapstructure:"tenant_id"`
-	ClientID                          string                        `mapstructure:"client_id"`
-	ClientSecret                      string                        `mapstructure:"client_secret"`
-	FederatedTokenFile                string                        `mapstructure:"federated_token_file"`
 	ResourceGroups                    []string                      `mapstructure:"resource_groups"`
 	Services                          []string                      `mapstructure:"services"`
 	Metrics                           NestedListAlias               `mapstructure:"metrics"`
@@ -257,6 +254,25 @@ type Config struct {
 	AppendTagsAsAttributes            bool                          `mapstructure:"append_tags_as_attributes"`
 	UseBatchAPI                       bool                          `mapstructure:"use_batch_api"`
 	Dimensions                        DimensionsConfig              `mapstructure:"dimensions"`
+
+	// Authentication accepts the component azureauthextension,
+	// and uses it to get an access token to make requests.
+	// Using this, `credentials` and any related fields become
+	// useless.
+	Authentication *AuthConfig `mapstructure:"auth"`
+
+	// Credentials is deprecated.
+	Credentials        string `mapstructure:"credentials"`
+	ClientID           string `mapstructure:"client_id"`
+	ClientSecret       string `mapstructure:"client_secret"`
+	FederatedTokenFile string `mapstructure:"federated_token_file"`
+}
+
+// AuthConfig defines the auth settings for the azure receiver.
+type AuthConfig struct {
+	// AuthenticatorID specifies the name of the azure extension to authenticate the
+	// requests to azure monitor.
+	AuthenticatorID component.ID `mapstructure:"authenticator,omitempty"`
 }
 
 const (
@@ -272,36 +288,39 @@ func (c Config) Validate() (err error) {
 		err = multierr.Append(err, errMissingSubscriptionIDs)
 	}
 
-	switch c.Credentials {
-	case servicePrincipal:
-		if c.TenantID == "" {
-			err = multierr.Append(err, errMissingTenantID)
-		}
+	if c.Authentication == nil {
+		// only matters if there is no auth specified
+		switch c.Credentials {
+		case servicePrincipal:
+			if c.TenantID == "" {
+				err = multierr.Append(err, errMissingTenantID)
+			}
 
-		if c.ClientID == "" {
-			err = multierr.Append(err, errMissingClientID)
-		}
+			if c.ClientID == "" {
+				err = multierr.Append(err, errMissingClientID)
+			}
 
-		if c.ClientSecret == "" {
-			err = multierr.Append(err, errMissingClientSecret)
-		}
-	case workloadIdentity:
-		if c.TenantID == "" {
-			err = multierr.Append(err, errMissingTenantID)
-		}
+			if c.ClientSecret == "" {
+				err = multierr.Append(err, errMissingClientSecret)
+			}
+		case workloadIdentity:
+			if c.TenantID == "" {
+				err = multierr.Append(err, errMissingTenantID)
+			}
 
-		if c.ClientID == "" {
-			err = multierr.Append(err, errMissingClientID)
-		}
+			if c.ClientID == "" {
+				err = multierr.Append(err, errMissingClientID)
+			}
 
-		if c.FederatedTokenFile == "" {
-			err = multierr.Append(err, errMissingFedTokenFile)
-		}
+			if c.FederatedTokenFile == "" {
+				err = multierr.Append(err, errMissingFedTokenFile)
+			}
 
-	case managedIdentity:
-	case defaultCredentials:
-	default:
-		return fmt.Errorf("credentials %v is not supported. supported authentications include [%v,%v,%v,%v]", c.Credentials, servicePrincipal, workloadIdentity, managedIdentity, defaultCredentials)
+		case managedIdentity:
+		case defaultCredentials:
+		default:
+			return fmt.Errorf("credentials %q is not supported. supported authentications include [%v,%v,%v,%v]", c.Credentials, servicePrincipal, workloadIdentity, managedIdentity, defaultCredentials)
+		}
 	}
 
 	if c.Cloud != azureCloud && c.Cloud != azureGovernmentCloud && c.Cloud != azureChinaCloud {

receiver/azuremonitorreceiver/config_test.go

@@ -0,0 +1,132 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package azuremonitorreceiver
+
+import (
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/confmap/confmaptest"
+	"go.opentelemetry.io/collector/confmap/xconfmap"
+
+	"github.com/open-telemetry/opentelemetry-collector-contrib/receiver/azuremonitorreceiver/internal/metadata"
+)
+
+func TestLoadConfig(t *testing.T) {
+	t.Parallel()
+
+	cm, err := confmaptest.LoadConf(filepath.Join("testdata", "config.yaml"))
+	require.NoError(t, err)
+
+	tests := []struct {
+		id          component.ID
+		expected    component.Config
+		expectedErr string
+	}{
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_subscription_ids"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.SubscriptionIDs = []string{"test"}
+				cfg.Credentials = defaultCredentials
+				return cfg
+			}(),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_discover_subscription"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.DiscoverSubscriptions = true
+				cfg.Credentials = defaultCredentials
+				return cfg
+			}(),
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "missing_subscription"),
+			expectedErr: errMissingSubscriptionIDs.Error(),
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_cloud"),
+			expectedErr: errInvalidCloud.Error(),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "missing_service_principal"),
+			expectedErr: fmt.Sprintf(
+				"%s; %s; %s",
+				errMissingTenantID.Error(),
+				errMissingClientID.Error(),
+				errMissingClientSecret.Error(),
+			),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "missing_service_principal"),
+			expectedErr: fmt.Sprintf(
+				"%s; %s; %s",
+				errMissingTenantID.Error(),
+				errMissingClientID.Error(),
+				errMissingClientSecret.Error(),
+			),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "missing_workload_identity"),
+			expectedErr: fmt.Sprintf(
+				"%s; %s; %s",
+				errMissingTenantID.Error(),
+				errMissingClientID.Error(),
+				errMissingFedTokenFile.Error(),
+			),
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_credentials"),
+			expectedErr: `credentials "invalid" is not supported`,
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_authenticator"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.DiscoverSubscriptions = true
+				cfg.Authentication = &AuthConfig{
+					AuthenticatorID: component.MustNewIDWithName("azureauth", "monitor"),
+				}
+				cfg.Credentials = "does-not-matter"
+				return cfg
+			}(),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_authenticator_2"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.DiscoverSubscriptions = true
+				cfg.Authentication = &AuthConfig{
+					AuthenticatorID: component.MustNewID("azureauth"),
+				}
+				cfg.Credentials = "does-not-matter"
+				return cfg
+			}(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.id.Name(), func(t *testing.T) {
+			factory := NewFactory()
+			cfg := factory.CreateDefaultConfig()
+
+			sub, err := cm.Sub(tt.id.String())
+			require.NoError(t, err)
+			require.NoError(t, sub.Unmarshal(cfg))
+
+			err = xconfmap.Validate(cfg)
+			if tt.expectedErr != "" {
+				assert.ErrorContains(t, err, tt.expectedErr)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expected, cfg)
+			}
+		})
+	}
+}

receiver/azuremonitorreceiver/go.mod

@@ -4,7 +4,7 @@ go 1.23.0
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0
 	github.com/Azure/azure-sdk-for-go/sdk/monitor/query/azmetrics v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor v0.11.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2 v2.0.0
@@ -28,6 +28,8 @@ require (
 	go.uber.org/zap v1.27.0
 )
 
+require go.opentelemetry.io/collector/confmap/xconfmap v0.126.0
+
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
@@ -69,12 +71,12 @@ require (
 	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
-	google.golang.org/grpc v1.72.0 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 // indirect
+	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect