docs: azure_blob: document OAuth authentication support#2535
Open
zshuang0316 wants to merge 1 commit intofluent:masterfrom
Open
docs: azure_blob: document OAuth authentication support#2535zshuang0316 wants to merge 1 commit intofluent:masterfrom
zshuang0316 wants to merge 1 commit intofluent:masterfrom
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughDocumentation for the Azure Blob output plugin adds OAuth-based auth modes ( Changes
Sequence Diagram(s)sequenceDiagram
participant FluentBit as Fluent Bit (client)
participant AzureAD as Azure AD (token endpoint)
participant Blob as Azure Blob Storage
FluentBit->>AzureAD: Request token (service_principal / managed_identity / workload_identity)
AzureAD-->>FluentBit: Return OAuth access_token
FluentBit->>Blob: PUT/POST blob with Authorization: Bearer <token>
Blob-->>FluentBit: 201/200 OK
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
zshuang0316
force-pushed
the
azure-blob-oauth-auth
branch
from
e624619 to
05784fb
Compare
5 tasks
eschabell
added
waiting-on-code-merge
waiting-on-review
eschabell
requested changes
Apr 7, 2026
Collaborator
eschabell
left a comment
eschabell
left a comment
There was a problem hiding this comment.
@zshuang0316 see comments inline on the files changed that need attention before review will pass.
pipeline/outputs/azure_blob.md
Outdated
| | :------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------- | | ||
| | `account_name` | Azure Storage account name. | _none_ | | ||
| | `auth_type` | Specify the type to authenticate against the service. Supported values: `key`, `sas`. | `key` | | ||
| | `auth_type` | Specify the authentication method. Supported values: `key`, `sas`, `managed_identity`, `service_principal`, `workload_identity`. | `key` | |
Collaborator
There was a problem hiding this comment.
@zshuang0316 please return the more clear sentence "Specify the type to authenticate against the service. " here. Shorter is not desirable.
pipeline/outputs/azure_blob.md
Outdated
| | `buffer_dir` | Specifies the location of directory where the buffered data will be stored. | `/tmp/fluent-bit/azure-blob/` | | ||
| | `buffer_file_delete_early` | Whether to delete the buffered file early after successful blob creation. | `false` | | ||
| | `buffering_enabled` | Enable buffering into disk before ingesting into Azure Blob. | `false` | | ||
| | `client_id` | Azure AD application (client) ID. Required for `service_principal` and `workload_identity` auth. For `managed_identity`, set to `system` for system-assigned or provide the client ID for user-assigned. | _none_ | |
Collaborator
There was a problem hiding this comment.
@zshuang0316 use backticks around Azure AD please.
pipeline/outputs/azure_blob.md
Outdated
| | `buffer_file_delete_early` | Whether to delete the buffered file early after successful blob creation. | `false` | | ||
| | `buffering_enabled` | Enable buffering into disk before ingesting into Azure Blob. | `false` | | ||
| | `client_id` | Azure AD application (client) ID. Required for `service_principal` and `workload_identity` auth. For `managed_identity`, set to `system` for system-assigned or provide the client ID for user-assigned. | _none_ | | ||
| | `client_secret` | Azure AD client secret. Required for `service_principal` auth. | _none_ | |
pipeline/outputs/azure_blob.md
Outdated
| | `scheduler_max_retries` | Maximum number of retries for the scheduler send blob. | `3` | | ||
| | `shared_key` | Specify the Azure Storage Shared Key to authenticate against the service. This configuration property is mandatory when `auth_type` is `key`. | _none_ | | ||
| | `store_dir_limit_size` | Set the max size of the buffer directory. | `8G` | | ||
| | `tenant_id` | Azure AD tenant ID. Required for `service_principal` and `workload_identity` auth. | _none_ | |
pipeline/outputs/azure_blob.md
Outdated
|
|
||
| If a chunk arrives with the tag `kube.var.log.containers.app-default`, this configuration creates blobs under `kube/app-default/2025/12/16/05/042/abcd1234/...`. | ||
|
|
||
| ## OAuth authentication |
Collaborator
There was a problem hiding this comment.
@zshuang0316 use backticks around OAuth to get past vale issues here.
pipeline/outputs/azure_blob.md
Outdated
|
|
||
| ## OAuth authentication | ||
|
|
||
| In addition to shared key and SAS token authentication, the Azure Blob plugin supports Azure AD-based authentication using the following methods. |
Collaborator
There was a problem hiding this comment.
@zshuang0316 use backticks around SAS, Azure Blob, and Zaure AD to get past vale issues here.
|
|
||
| ### Workload identity | ||
|
|
||
| Use [Azure Workload Identity](https://azure.github.io/azure-workload-identity/docs/) to exchange a Kubernetes-projected service account token for an Azure AD access token. This is the recommended approach for workloads running in AKS. |
Collaborator
There was a problem hiding this comment.
@zshuang0316 use backticks around Azure AD and AKS to get past vale issues here.
Add new auth_type values (managed_identity, service_principal, workload_identity) and their required configuration parameters (tenant_id, client_id, client_secret, workload_identity_token_file). Add OAuth authentication section with examples for each method. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: zshuang0316 <zshuang0316@163.com>
zshuang0316
force-pushed
the
azure-blob-oauth-auth
branch
from
05784fb to
a3b339b
Compare
Author
Thanks, updated. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add new auth_type values (managed_identity, service_principal, workload_identity) and their required configuration parameters (tenant_id, client_id, client_secret, workload_identity_token_file). Add OAuth authentication section with examples for each method.
Summary by CodeRabbit