Azure token provider with support for Managed Identities (#33807)

* Azure token provider * Configuration for Azure token provider * Authentication via Azure SDK for Go * Fix typo * ConcurrentTokenCache for Azure credentials * Resolve AAD authority for selected Azure cloud * Fixes * Generic AccessToken and fixes * Tests and wordings * Tests for getAccessToken * Tests for getClientSecretCredential * Tests for token cache
2025-02-25 18:55:37 -06:00 · 2021-05-14 04:59:07 -07:00
parent 8254efc027
commit 81f6c806e1
16 changed files with 756 additions and 66 deletions
--- a/public/app/plugins/datasource/grafana-azure-monitor-datasource/plugin.json
+++ b/public/app/plugins/datasource/grafana-azure-monitor-datasource/plugin.json
@@ -33,13 +33,15 @@
      "path": "azuremonitor",
      "method": "GET",
      "url": "https://management.azure.com",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.microsoftonline.com/{{.JsonData.tenantId}}/oauth2/token",
+        "scopes": ["https://management.azure.com/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureCloud",
+          "tenant_id": "{{.JsonData.tenantId}}",
          "client_id": "{{.JsonData.clientId}}",
-          "client_secret": "{{.SecureJsonData.clientSecret}}",
-          "resource": "https://management.azure.com/"
+          "client_secret": "{{.SecureJsonData.clientSecret}}"
        }
      },
      "headers": [{ "name": "x-ms-app", "content": "Grafana" }]
@@ -48,13 +50,15 @@
      "path": "govazuremonitor",
      "method": "GET",
      "url": "https://management.usgovcloudapi.net",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.microsoftonline.us/{{.JsonData.tenantId}}/oauth2/token",
+        "scopes": ["https://management.usgovcloudapi.net/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureUSGovernment",
+          "tenant_id": "{{.JsonData.tenantId}}",
          "client_id": "{{.JsonData.clientId}}",
-          "client_secret": "{{.SecureJsonData.clientSecret}}",
-          "resource": "https://management.usgovcloudapi.net/"
+          "client_secret": "{{.SecureJsonData.clientSecret}}"
        }
      },
      "headers": [{ "name": "x-ms-app", "content": "Grafana" }]
@@ -63,13 +67,15 @@
      "path": "germanyazuremonitor",
      "method": "GET",
      "url": "https://management.microsoftazure.de",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.microsoftonline.de/{{.JsonData.tenantId}}/oauth2/token",
+        "scopes": ["https://management.microsoftazure.de/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureGermanCloud",
+          "tenant_id": "{{.JsonData.tenantId}}",
          "client_id": "{{.JsonData.clientId}}",
-          "client_secret": "{{.SecureJsonData.clientSecret}}",
-          "resource": "https://management.microsoftazure.de/"
+          "client_secret": "{{.SecureJsonData.clientSecret}}"
        }
      },
      "headers": [{ "name": "x-ms-app", "content": "Grafana" }]
@@ -78,13 +84,15 @@
      "path": "chinaazuremonitor",
      "method": "GET",
      "url": "https://management.chinacloudapi.cn",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.chinacloudapi.cn/{{.JsonData.tenantId}}/oauth2/token",
+        "scopes": ["https://management.chinacloudapi.cn/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureChinaCloud",
+          "tenant_id": "{{.JsonData.tenantId}}",
          "client_id": "{{.JsonData.clientId}}",
-          "client_secret": "{{.SecureJsonData.clientSecret}}",
-          "resource": "https://management.chinacloudapi.cn/"
+          "client_secret": "{{.SecureJsonData.clientSecret}}"
        }
      },
      "headers": [{ "name": "x-ms-app", "content": "Grafana" }]
@@ -111,13 +119,15 @@
      "path": "workspacesloganalytics",
      "method": "GET",
      "url": "https://management.azure.com",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.microsoftonline.com/{{.JsonData.logAnalyticsTenantId}}/oauth2/token",
+        "scopes": ["https://management.azure.com/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureCloud",
+          "tenant_id": "{{.JsonData.logAnalyticsTenantId}}",
          "client_id": "{{.JsonData.logAnalyticsClientId}}",
-          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}",
-          "resource": "https://management.azure.com/"
+          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}"
        }
      },
      "headers": [{ "name": "x-ms-app", "content": "Grafana" }]
@@ -126,13 +136,15 @@
      "path": "chinaworkspacesloganalytics",
      "method": "GET",
      "url": "https://management.chinacloudapi.cn",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.chinacloudapi.cn/{{.JsonData.logAnalyticsTenantId}}/oauth2/token",
+        "scopes": ["https://management.chinacloudapi.cn/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureChinaCloud",
+          "tenant_id": "{{.JsonData.logAnalyticsTenantId}}",
          "client_id": "{{.JsonData.logAnalyticsClientId}}",
-          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}",
-          "resource": "https://management.chinacloudapi.cn/"
+          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}"
        }
      },
      "headers": [{ "name": "x-ms-app", "content": "Grafana" }]
@@ -141,13 +153,15 @@
      "path": "govworkspacesloganalytics",
      "method": "GET",
      "url": "https://management.usgovcloudapi.net",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.microsoftonline.us/{{.JsonData.logAnalyticsTenantId}}/oauth2/token",
+        "scopes": ["https://management.usgovcloudapi.net/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureUSGovernment",
+          "tenant_id": "{{.JsonData.logAnalyticsTenantId}}",
          "client_id": "{{.JsonData.logAnalyticsClientId}}",
-          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}",
-          "resource": "https://management.usgovcloudapi.net/"
+          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}"
        }
      },
      "headers": [{ "name": "x-ms-app", "content": "Grafana" }]
@@ -156,13 +170,15 @@
      "path": "loganalyticsazure",
      "method": "GET",
      "url": "https://api.loganalytics.io/v1/workspaces",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.microsoftonline.com/{{.JsonData.logAnalyticsTenantId}}/oauth2/token",
+        "scopes": ["https://api.loganalytics.io/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureCloud",
+          "tenant_id": "{{.JsonData.logAnalyticsTenantId}}",
          "client_id": "{{.JsonData.logAnalyticsClientId}}",
-          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}",
-          "resource": "https://api.loganalytics.io"
+          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}"
        }
      },
      "headers": [
@@ -174,13 +190,15 @@
      "path": "chinaloganalyticsazure",
      "method": "GET",
      "url": "https://api.loganalytics.azure.cn/v1/workspaces",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.chinacloudapi.cn/{{.JsonData.logAnalyticsTenantId}}/oauth2/token",
+        "scopes": ["https://api.loganalytics.azure.cn/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureChinaCloud",
+          "tenant_id": "{{.JsonData.logAnalyticsTenantId}}",
          "client_id": "{{.JsonData.logAnalyticsClientId}}",
-          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}",
-          "resource": "https://api.loganalytics.azure.cn"
+          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}"
        }
      },
      "headers": [
@@ -192,13 +210,15 @@
      "path": "govloganalyticsazure",
      "method": "GET",
      "url": "https://api.loganalytics.us/v1/workspaces",
+      "authType": "azure",
      "tokenAuth": {
-        "url": "https://login.microsoftonline.us/{{.JsonData.logAnalyticsTenantId}}/oauth2/token",
+        "scopes": ["https://api.loganalytics.us/.default"],
        "params": {
-          "grant_type": "client_credentials",
+          "azure_auth_type": "{{.JsonData.azureAuthType}}",
+          "azure_cloud": "AzureUSGovernment",
+          "tenant_id": "{{.JsonData.logAnalyticsTenantId}}",
          "client_id": "{{.JsonData.logAnalyticsClientId}}",
-          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}",
-          "resource": "https://api.loganalytics.us"
+          "client_secret": "{{.SecureJsonData.logAnalyticsClientSecret}}"
        }
      },
      "headers": [