From 976103d50b5c9dee077e3d362060a58843e3a529 Mon Sep 17 00:00:00 2001 From: Nick Craig-Wood Date: Tue, 17 Sep 2024 17:09:12 +0100 Subject: [PATCH] azureblob: add --azureblob-disable-instance-discovery If set this skips requesting Microsoft Entra instance metadata See #8078 --- backend/azureblob/azureblob.go | 20 +++++++++++++++++++- docs/content/azureblob.md | 7 +++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/backend/azureblob/azureblob.go b/backend/azureblob/azureblob.go index 358886404..92adde376 100644 --- a/backend/azureblob/azureblob.go +++ b/backend/azureblob/azureblob.go @@ -209,6 +209,22 @@ rclone config file under the ` + "`client_id`, `tenant` and `client_secret`" + ` keys instead of setting ` + "`service_principal_file`" + `. `, Advanced: true, + }, { + Name: "disable_instance_discovery", + Help: `Skip requesting Microsoft Entra instance metadata + +This should be set true only by applications authenticating in +disconnected clouds, or private clouds such as Azure Stack. + +It determines whether rclone requests Microsoft Entra instance +metadata from ` + "`https://login.microsoft.com/`" + ` before +authenticating. + +Setting this to true will skip this request, making you responsible +for ensuring the configured authority is valid and trustworthy. +`, + Default: false, + Advanced: true, }, { Name: "use_msi", Help: `Use a managed service identity to authenticate (only works in Azure). @@ -438,6 +454,7 @@ type Options struct { Username string `config:"username"` Password string `config:"password"` ServicePrincipalFile string `config:"service_principal_file"` + DisableInstanceDiscovery bool `config:"disable_instance_discovery"` UseMSI bool `config:"use_msi"` MSIObjectID string `config:"msi_object_id"` MSIClientID string `config:"msi_client_id"` @@ -725,7 +742,8 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e } // Read credentials from the environment options := azidentity.DefaultAzureCredentialOptions{ - ClientOptions: policyClientOptions, + ClientOptions: policyClientOptions, + DisableInstanceDiscovery: opt.DisableInstanceDiscovery, } cred, err = azidentity.NewDefaultAzureCredential(&options) if err != nil { diff --git a/docs/content/azureblob.md b/docs/content/azureblob.md index be4f0e201..2c6d401b2 100644 --- a/docs/content/azureblob.md +++ b/docs/content/azureblob.md @@ -180,6 +180,13 @@ If the resource has multiple user-assigned identities you will need to unset `env_auth` and set `use_msi` instead. See the [`use_msi` section](#use_msi). +If you are operating in disconnected clouds, or private clouds such as +Azure Stack you may want to set `disable_instance_discovery = true`. +This determines whether rclone requests Microsoft Entra instance +metadata from `https://login.microsoft.com/` before authenticating. +Setting this to `true` will skip this request, making you responsible +for ensuring the configured authority is valid and trustworthy. + ##### Env Auth: 3. Azure CLI credentials (as used by the az tool) Credentials created with the `az` tool can be picked up using `env_auth`.