extern/rclone
1
0
Fork 0
mirror of https://github.com/rclone/rclone.git synced 2024-11-22 08:23:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

azureblob: add --azureblob-disable-instance-discovery

Browse Source 
If set this skips requesting Microsoft Entra instance metadata

See #8078
This commit is contained in:
Nick Craig-Wood 2024-09-17 17:09:12 +01:00
parent 192524c004
commit 976103d50b
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
backend/azureblob/azureblob.go
View File

@ -209,6 +209,22 @@ rclone config file under the ` + "`client_id`, `tenant` and `client_secret`" + `
keys instead of setting ` + "`service_principal_file`" + `. keys instead of setting ` + "`service_principal_file`" + `.
`, `,
Advanced: true, Advanced: true,
}, {
Name: "disable_instance_discovery",
Help: `Skip requesting Microsoft Entra instance metadata
This should be set true only by applications authenticating in
disconnected clouds, or private clouds such as Azure Stack.
It determines whether rclone requests Microsoft Entra instance
metadata from ` + "`https://login.microsoft.com/`" + ` before
authenticating.
Setting this to true will skip this request, making you responsible
for ensuring the configured authority is valid and trustworthy.
`,
Default: false,
Advanced: true,
}, { }, {
Name: "use_msi", Name: "use_msi",
Help: `Use a managed service identity to authenticate (only works in Azure). Help: `Use a managed service identity to authenticate (only works in Azure).
@ -438,6 +454,7 @@ type Options struct {
Username string `config:"username"` Username string `config:"username"`
Password string `config:"password"` Password string `config:"password"`
ServicePrincipalFile string `config:"service_principal_file"` ServicePrincipalFile string `config:"service_principal_file"`
DisableInstanceDiscovery bool `config:"disable_instance_discovery"`
UseMSI bool `config:"use_msi"` UseMSI bool `config:"use_msi"`
MSIObjectID string `config:"msi_object_id"` MSIObjectID string `config:"msi_object_id"`
MSIClientID string `config:"msi_client_id"` MSIClientID string `config:"msi_client_id"`
@ -726,6 +743,7 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e
// Read credentials from the environment // Read credentials from the environment
options := azidentity.DefaultAzureCredentialOptions{ options := azidentity.DefaultAzureCredentialOptions{
ClientOptions: policyClientOptions, ClientOptions: policyClientOptions,
DisableInstanceDiscovery: opt.DisableInstanceDiscovery,
} }
cred, err = azidentity.NewDefaultAzureCredential(&options) cred, err = azidentity.NewDefaultAzureCredential(&options)
if err != nil { if err != nil {

7
docs/content/azureblob.md
View File

@ -180,6 +180,13 @@ If the resource has multiple user-assigned identities you will need to
unset `env_auth` and set `use_msi` instead. See the [`use_msi` unset `env_auth` and set `use_msi` instead. See the [`use_msi`
section](#use_msi). section](#use_msi).
If you are operating in disconnected clouds, or private clouds such as
Azure Stack you may want to set `disable_instance_discovery = true`.
This determines whether rclone requests Microsoft Entra instance
metadata from `https://login.microsoft.com/` before authenticating.
Setting this to `true` will skip this request, making you responsible
for ensuring the configured authority is valid and trustworthy.
##### Env Auth: 3. Azure CLI credentials (as used by the az tool) ##### Env Auth: 3. Azure CLI credentials (as used by the az tool)
Credentials created with the `az` tool can be picked up using `env_auth`. Credentials created with the `az` tool can be picked up using `env_auth`.