Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[filebeat][azure-blob-storage] - Add support for authorization via Microsoft Entra ID / RBAC #40434

Closed
ShourieG opened this issue Aug 5, 2024 · 1 comment · Fixed by #40879

Comments

@ShourieG
Copy link
Contributor

ShourieG commented Aug 5, 2024

Describe the enhancement: Add support for authorization via Microsoft Entra ID / RBAC

Describe a specific use case for the enhancement or feature: Currently the azure-blob-storage input handles client auth via shared key credentials and connection strings, but this is inherently insecure according to recent recommendations by Microsoft as outlined by this article. To mitigate security issues we need to add auth support via Microsoft Entra ID. This will require us to overhaul the client auth process and change certain internal auth structs to get it working. The sample code below shows an example of how to get Microsoft Entra ID auth working with the blob storage sdk utilizing the azidentity sdk.

 // Define the Azure AD credentials
    tenantID := "your-tenant-id"
    clientID := "your-client-id"
    clientSecret := "your-client-secret"

    // Create a ClientSecretCredential
    cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, clientSecret, nil)
    if err != nil {
        log.Fatalf("failed to create client secret credential: %v", err)
    }

    // Define the Azure Blob Storage account URL
    accountName := "your_account_name"
    blobURL := fmt.Sprintf("https://%s.blob.core.windows.net/", accountName)

    // Create a new BlobServiceClient with the Azure credential
    serviceClient, err := azblob.NewClient(blobURL, cred, nil)
    if err != nil {
        log.Fatalf("failed to create blob service client: %v", err)
    }

Using this process of authentication we will require the tenantID, clientID & clientSecret as inputs from the users end. More info regarding this is detailed here and here.

This process however creates a service client of a different type ("github.com/Azure/azure-sdk-for-go/sdk/storage/azblob").Client and is incompatible with our current service client which is of type ("github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service").Client, so the necessary changes need to be made under the hood to get this working.

@ShourieG ShourieG added the Filebeat Filebeat label Aug 5, 2024
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 5, 2024
@ShourieG ShourieG added input:azure-blob-storage and removed needs_team Indicates that the issue/PR needs a Team:* label labels Aug 5, 2024
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 5, 2024
@ShourieG ShourieG added enhancement and removed needs_team Indicates that the issue/PR needs a Team:* label labels Aug 5, 2024
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 5, 2024
@andrewkroh andrewkroh added the Team:Security-Service Integrations Security Service Integrations Team label Aug 8, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants