Is your feature request related to a problem? Please describe.
out_azure_blob currently only supports shared key and SAS token authentication. Shared key is not a recommended or secure approach as it grants full account access. SAS token has an expiration time, requiring manual rotation and operational overhead. We hope to leverage OAuth/Managed Identity for authentication instead.
Describe the solution you'd like
Add a common Azure authentication module (flb_azure_auth) to Fluent Bit core that supports:
- System-assigned and user-assigned Managed Identity (MSI) via IMDS endpoint
- Workload Identity authentication with federated tokens
- Service Principal authentication with client credentials (OAuth2 client_credentials flow)
Integrate this into out_azure_blob alongside the existing methods (fully backward compatible), with new config
parameters:
- tenant_id, client_id, client_secret — for Service Principal
- workload_identity_token_file — for Workload Identity
- client_id = system — for system-assigned Managed Identity
Also migrate out_azure_kusto to use the same common module, removing its local duplicate azure_msiauth.c.
A working implementation is available at: https://github.com/zshuang0316/fluent-bit/tree/azure-msi-auth
Describe alternatives you've considered
Additional context
Is your feature request related to a problem? Please describe.
out_azure_blob currently only supports shared key and SAS token authentication. Shared key is not a recommended or secure approach as it grants full account access. SAS token has an expiration time, requiring manual rotation and operational overhead. We hope to leverage OAuth/Managed Identity for authentication instead.
Describe the solution you'd like
Add a common Azure authentication module (flb_azure_auth) to Fluent Bit core that supports:
Integrate this into out_azure_blob alongside the existing methods (fully backward compatible), with new config
parameters:
Also migrate out_azure_kusto to use the same common module, removing its local duplicate azure_msiauth.c.
A working implementation is available at: https://github.com/zshuang0316/fluent-bit/tree/azure-msi-auth
Describe alternatives you've considered
Additional context