MC-1534 Allow using role-based identity for Azure storage #854

rzvoncek · 2025-02-17T09:13:38Z

Fixes #856.

According to preliminary testing, this kinda works:

export AZURE_STORAGE_ACCOUNT=medusaintegrationtests
medusa -v --config-file medusa.ini list-backups
[2025-02-17 11:40:20,383] DEBUG: Loading configuration from medusa.ini
[2025-02-17 11:40:20,391] INFO: Resolving ip address
[2025-02-17 11:40:20,397] INFO: ip address to resolve 10.3.0.4
[2025-02-17 11:40:20,398] DEBUG: Resolved 10.3.0.4 to azure-backup.internal.cloudapp.net
[2025-02-17 11:40:20,399] DEBUG: Loading storage_provider: azure_blobs
[2025-02-17 11:40:20,399] DEBUG: No credentials file specified, using DefaultAzureCredential
[2025-02-17 11:40:20,400] INFO: No environment configuration found.
[2025-02-17 11:40:20,401] INFO: ManagedIdentityCredential will use IMDS
[2025-02-17 11:40:20,404] DEBUG: [Storage] Listing objects in index/backup_index
[2025-02-17 11:40:20,404] DEBUG: Using selector: GeventSelector
[2025-02-17 11:40:20,417] DEBUG: EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
Traceback (most recent call last):
  File "/home/azureuser/.cache/pypoetry/virtualenvs/cassandra-medusa-gy6GO9U1-py3.12/lib/python3.12/site-packages/azure/identity/_internal/decorators.py", line 33, in wrapper
    token = fn(*args, **kwargs)
            ^^^^^^^^^^^^^^^^^^^
  File "/home/azureuser/.cache/pypoetry/virtualenvs/cassandra-medusa-gy6GO9U1-py3.12/lib/python3.12/site-packages/azure/identity/_credentials/environment.py", line 150, in get_token
    raise CredentialUnavailableError(message=message)
azure.identity._exceptions.CredentialUnavailableError: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
[2025-02-17 11:40:20,444] DEBUG: event={
    "data": {},
    "response": {
        "access_token": "********",
        "client_id": "1d97d72b-aa4d-47c3-8971-5c2618358c92",
        "expires_in": "85867",
        "expires_on": 1739878287,
        "ext_expires_in": "86399",
        "not_before": "1739791587",
        "resource": "https://storage.azure.com",
        "token_type": "Bearer"
    },
    "scope": [
        "https://storage.azure.com"
    ]
}
[2025-02-17 11:40:20,444] DEBUG: ImdsCredential.get_token succeeded
[2025-02-17 11:40:20,444] DEBUG: ManagedIdentityCredential.get_token succeeded
[2025-02-17 11:40:20,445] DEBUG: [Authenticated account] Client ID: 1d97d72b-aa4d-47c3-8971-5c2618358c92. Tenant ID: 2f49592e-1a6a-48f0-a3fe-d7c6e268b749. User Principal Name: unavailableUpn. Object ID (user): b982be5b-2f85-4750-ae3c-3ca2bae6111a
[2025-02-17 11:40:20,445] INFO: DefaultAzureCredential acquired a token from ManagedIdentityCredential
^CKeyboardInterrupt
2025-02-17T11:40:26Z
^CKeyboardInterrupt
2025-02-17T11:40:27Z
[2025-02-17 11:40:27,579] DEBUG: Disconnecting from Azure Storage

Aborted!

we need the AZURE_STORAGE_ACCOUNT to be set
there are errors and exceptions about some other variables missing, see this
despite the warnings, the proper credentials type is chosen and an attempt to the storage systems seems to be made
it gets stuck however, in a silent retry/backoff loop, because the instance does not have proper roles assigned to it.

I'm currently stuck on the role assignments.