Skip to content

Backport of Backend/azure: subscription_id infer from Azure CLI & a way to skip *unnecessary* management plane API call into v1.11#36677

Merged
dbanck merged 1 commit intov1.11from
backport/azure-backend-freely-bream
Mar 12, 2025
Merged

Backport of Backend/azure: subscription_id infer from Azure CLI & a way to skip *unnecessary* management plane API call into v1.11#36677
dbanck merged 1 commit intov1.11from
backport/azure-backend-freely-bream

Conversation

@dbanck
Copy link
Copy Markdown
Member

@dbanck dbanck commented Mar 12, 2025

This is a manual backport of #36623, since the automatic one failed (in #36676)

Target Release

1.11.2

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.

@dbanck dbanck requested review from a team as code owners March 12, 2025 09:32
@dbanck dbanck mentioned this pull request Mar 12, 2025
Merged
2 tasks
@magodo @dbanck
Backend/azure: subscription_id infer from Azure CLI & a way to skip…
fc1a36c 
… *unnecessary* management plane API call (#36623)

* backend/azure: Infer `subscription_id` from Azure CLI if not specified

* Avoid management plane call if not necessary

There are four auth scenarios of the blob/container:
1. User specifies the SAS token
2. User specifies the shared access key
3. User specified to use AAD auth (and credential provided)
4. None of the above, management plane API call needed to list the shared access key and use it to auth

For 1, 2 and 3, the management plane API can be skipped in most of the cases, except the target storage account is using private DNS zone. The blob/container data plane client requires the user to specify the base URI, which is not deterministic if the storage account opt in the private DNS zone. In this case, an additional management plane `GET` is required against the storage account, to retrieve the blob endpoint. While if private DNS zone is not used, the base URI can be composed in a fixed pattern, with the storage account name and container&blob name. Hence no management plane API call is needed.

The user is expected to use the `subscription_id` and `resource_group_name` to indicate the above intent: Only if both are specified, the additional `GET` call will be invoked to get the accurate blob endpoint.

(NOTE: the `subscription_id` can be inferred from the Azure CLI if unspecified)

* No need for AAD auth if shared key or sas is specified

* update

* Add test

* update comments

* changelog
@dbanck dbanck force-pushed the backport/azure-backend-freely-bream branch from a2368d3 to fc1a36c Compare March 12, 2025 11:05
@dbanck dbanck mentioned this pull request Mar 12, 2025
Closed
2 tasks
@dbanck dbanck merged commit d13e4c3 into v1.11 Mar 12, 2025
7 checks passed
@dbanck dbanck deleted the backport/azure-backend-freely-bream branch March 12, 2025 11:21
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 12, 2025

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 12, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@radeksimko radeksimko radeksimko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dbanck @radeksimko @magodo