[filebeat][azure-blob-storage] - Add support for authorization via Microsoft Entra ID / RBAC #40434
Labels
enhancement
Filebeat
Filebeat
input:azure-blob-storage
Team:Security-Service Integrations
Security Service Integrations Team
Describe the enhancement: Add support for authorization via Microsoft Entra ID / RBAC
Describe a specific use case for the enhancement or feature: Currently the azure-blob-storage input handles client auth via shared key credentials and connection strings, but this is inherently insecure according to recent recommendations by Microsoft as outlined by this article. To mitigate security issues we need to add auth support via Microsoft Entra ID. This will require us to overhaul the client auth process and change certain internal auth structs to get it working. The sample code below shows an example of how to get Microsoft Entra ID auth working with the blob storage sdk utilizing the azidentity sdk.
Using this process of authentication we will require the tenantID, clientID & clientSecret as inputs from the users end. More info regarding this is detailed here and here.
This process however creates a service client of a different type
("github.com/Azure/azure-sdk-for-go/sdk/storage/azblob").Client
and is incompatible with our current service client which is of type("github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service").Client
, so the necessary changes need to be made under the hood to get this working.The text was updated successfully, but these errors were encountered: