feat(azure_blob sink): Update crates and migrate to the new SDK

[joshcoughlan]

This PR migrates the Azure Blob sink to the latest official Azure SDK crates and aligns our internal auth/HTTP plumbing with the new pipeline model.

Highlights:

• Replace legacy crates with official SDK:
  • azure_storage_blob → 0.7.x
  • azure_core → 0.30.x
  • Remove azure_storage_blobs/azure_storage/azure_core_for_storage
• Preserve existing auth modes:
  • SAS via URL stays supported
  • Access key via a custom Shared Key Policy integrated into the azure_core pipeline
• Add a minimal connection string parser to support SAS and Shared Key without pulling in legacy crates
• Keep the rest of Vector on reqwest 0.11.26 while the Azure SDK uses reqwest 0.12.24:
  • Introduce an aliased reqwest_0_12_24 dependency and inject it as the Azure transport
  • Avoid rippling reqwest upgrades through non-Azure code paths

Follow-ups planned:

• Per-sink proxy configuration for the Azure HTTP client (azure_blob proxy support #21314)
• Possibly Support Azure Active Directory tokens (Support Azure Active Directory tokens for the Azure Blob Store Sink #24167)

Vector configuration

Examples used during testing.

SAS-based connection string:

[sinks.azure_blob]
type = "azure_blob"
inputs = ["in"]
container_name = "vector-logs"
# Example SAS (redacted); must include the leading '?'
connection_string = "BlobEndpoint=https://<account>.blob.core.windows.net;SharedAccessSignature=?sv=...&ss=b&srt=...&sp=...&se=...&st=...&spr=https&sig=...;"
compression = "gzip"
encoding.codec = "json"

Shared Key (access key) connection string:

[sinks.azure_blob]
type = "azure_blob"
inputs = ["in"]
container_name = "vector-logs"
connection_string = "DefaultEndpointsProtocol=https;AccountName=<account>;AccountKey=<base64key>;EndpointSuffix=core.windows.net"
compression = "gzip"
encoding.codec = "json"
# Uses the custom SharedKeyAuthorizationPolicy added in this PR

How did you test this PR?

• Local builds for all supported targets, including cross builds in a containerized environment
• Tested in a live environment to confirm functionality

Change Type

• Bug fix
• [ X] New feature
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• [X ] No

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

Notes

• This PR fixes an unreported bug introduced by Azure SDK version bump introduced regression in token refresh #23036 in which the documented SAS connection_string ("BlobEndpoint=https://mylogstorage.blob.core.windows.net/;SharedAccessSignature=generatedsastoken") doesn't work and fails with an error indicating it requires AccountName:
  ERROR vector::topology::builder: Configuration error. error=Sink "testing-azure_blob": Account name missing in connection string

[thomasqueirozb]

Thanks for this contribution! I haven't had the time to look closely at everything yet, but I'm leaving some comments now because there is a lot to discuss.

As per your PR description it seems like we're now supporting new auth methods with this upgrade too, so it would be nice to include a changelog in this PR. Let me know if I misunderstood this.

I do have some concerns about using these new azure crates though. The azure_storage_blob crate has this warning:

Note: The azure_storage_blob crate is currently under active development and not all features may be implemented or work as intended. This crate is in beta and not suitable for Production environments. For any general feedback or usage issues, please open a GitHub issue

I see that we are using just some parts of that crate. Namely only BlobContainerClient/BlobContainerClientOptions, clients::BlobClient and models::BlockBlobClientUploadOptions.

Have you checked if they are just a port from what was being used in the old azure_storage_blobs crate or is it a full rewrite? If it is a port I'd have more confidence in using it. Either way I think our hands are tied here because MS doesn't seem to put enough effort into releasing good and stable Azure crates so anything as good as or better than the old azure_storage_blobs will do.

[joshcoughlan]

Have you checked if they are just a port from what was being used in the old azure_storage_blobs crate or is it a full rewrite? If it is a port I'd have more confidence in using it. Either way I think our hands are tied here because MS doesn't seem to put enough effort into releasing good and stable Azure crates so anything as good as or better than the old azure_storage_blobs will do.

I haven't, but I suspect it is a full rewrite since I think it is just adding support for auth from a url to the SDK. I wrote a fix for the SDK and submitted it to Microsoft, but was informed that they had fixed what I was trying to fix in a release of azure_storage_blob the day before.

Basically, clients now have a from_url method that allows you to pass a full URL with a SAS. This design closely matches our other SDKs and so it what we wanted to go with for Rust as well. Please give it a try and let us know if you have any feedback.
Azure/azure-sdk-for-rust#3329 (comment)

If I'm remembering properly, the only thing keeping SAS from working before is that the client constructor required the AD auth method. I think now it is making that credential optional, which then opened the door for auth from url.
Azure/azure-sdk-for-rust#3176

Anyway, I went about refactoring my original Vector PR to use the newly released azure_storage_blob SDK and broke it up into two PRs. I'm mainly doing all of this because we need per-sink proxy support and the legacy crates just didn't really support that so much. I have another PR that builds on this one to add proxy support: #24256

As per your PR description it seems like we're now supporting new auth methods with this upgrade too, so it would be nice to include a changelog in this PR. Let me know if I misunderstood this.

Same auth methods, SAS and Access key, are supported, but I think the implementation is different. I think this PR should help address #24167 though, so it can lead to additional auth methods.

[thomasqueirozb]

Same auth methods

Changelog not needed then

There are a few failing checks (and merge conflicts), I'll circle back to this once there are new commits on this branch.

[fplantinga-guida]

Any updates on this? @thomasqueirozb @joshcoughlan

[joshcoughlan]

Any updates on this? @thomasqueirozb @joshcoughlan

I'm working through this today getting the clippy whatnot passing and resolving merge conflicts. I didn't really realize there were other PRs waiting on this.

Also, full disclosure here, I'd be happy if more eyeballs were on this PR as a good amount of it is faith-based coding with AI guidance. I'm none too familiar with rust and having more knowledgeable humans involved wouldn't be a bad thing.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[joshcoughlan]

I have read the CLA Document and I hereby sign the CLA

[joshcoughlan]

recheck

[thomasqueirozb]

Suggested change

	azure_core = { version = "0.30", default-features = false, features = ["reqwest", "hmac_openssl"] }
	azure_core = { version = "0.30", default-features = false, features = ["reqwest", "hmac_openssl"], optional = true }

This should remain optional as we don't want this to be compiled in when Vector is built with minimal features

[thomasqueirozb]

Also, looking at https://docs.rs/crate/azure_core/latest/features I'm worried that without reqwest_native_tls and maybe also without reqwest_deflate we can run into some issues...

[pront]

FWIW reqwest now sets its default TLS feature to use rustls, instead of native-tls.

https://seanmonstar.com/blog/reqwest-v013-rustls-default/

[joshcoughlan]

Done

[thomasqueirozb]

Why are we using another version of reqwest here? I'd assume that this would work just fine if we used reqwest::ClientBuilder instead - or is there a version issue?

[joshcoughlan]

There is a version issue. The MS SDK uses reqwest 0.12 and trying to use 0.11 results in the following error: expected Arc<dyn HttpClient + ’static, Global>, found Arc<Client, Global> (rust-analyzer E0308). From what I understand this is due to HttpClient being implemented in the SDK and the SDK uses reqwest 0.12. I'm going pause here to reiterate that I am a rust novice and there may be better ways to do this. The most straight-forward way I could come up with to use reqwest 0.12 without changing it globally was to use a renamed dependency. Also, I did look at using reqwest 0.12 everywhere, but there would have had to have been updates made to other components.

[thomasqueirozb]

reqwest is only being used in as a dev dependency in tests. I will bump it to use 0.12 everywhere

[thomasqueirozb]

It looks like I'm not able to push to your branch. I made a PR here: Automattic#4

[thomasqueirozb]

Hi @joshcoughlan I'm not able to get azure integration tests to pass by running ./scripts/run-integration-test.sh int azure. I suspect something is wrong with either the URL or the Authorization header

[thomasqueirozb]

This is almost good to go. Please merge Automattic#4 and commit these suggestions afterwards. Thanks for your work on this!

[joshcoughlan]

Done, but several integration tests for other components are now failing with reqwest 0.12 everywhere.

[thomasqueirozb]

Done, but several integration tests for other components are now failing with reqwest 0.12 everywhere.

This is due to reqwest using http v1 and I didn't run clippy for all features locally - my bad! It was at the top of the release notes I just missed it... I'll follow up with another PR to your branch to fix this which is going to restore some of your code.

[thomasqueirozb]

Thanks!

[joshcoughlan]

Hi. There are some failing tests with make test-vrl in the make environment environment. I fixed a couple simple date updates with the last commit, but I'm not so sure about the others. It seems like the vrl version may need updating somewhere, but I'm not sure.

Also, if you'd rather undo the last commit and just handle that separately that's fine by me.