Skip to content

Commit b7d5f19

Browse files
andyzhangxandyzhangx
committed
cleanup: clientID is not required when mountWithWorkloadIdentityToken
1 parent 1db0745 commit b7d5f19

File tree

1 file changed

+22
-18
lines changed

1 file changed

+22
-18
lines changed

pkg/blob/blob.go

Lines changed: 22 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -590,27 +590,31 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
590590
tenantID = d.cloud.TenantID
591591
}
592592

593-
if clientID != "" {
594-
if mountWithWIToken {
595-
klog.V(2).Infof("clientID(%s) is specified, use workload identity for blobfuse auth", clientID)
596-
597-
workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
598-
if err != nil {
599-
return rgName, accountName, accountKey, containerName, authEnv, err
600-
}
601-
azureOAuthTokenFile := filepath.Join(defaultAzureOAuthTokenDir, clientID+accountName)
602-
if err := os.WriteFile(azureOAuthTokenFile, []byte(workloadIdentityToken), 0600); err != nil {
603-
return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write workload identity token file %s: %v", azureOAuthTokenFile, err)
604-
}
593+
if mountWithWIToken {
594+
if clientID == "" {
595+
clientID = d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID
596+
}
597+
klog.V(2).Infof("mountWithWorkloadIdentity is specified, use workload identity auth mount, clientID: %s, tenantID: %s", clientID, tenantID)
605598

606-
authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
607-
if tenantID != "" {
608-
authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
609-
}
610-
authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureOAuthTokenFile)
611-
klog.V(2).Infof("workload identity auth: %v", authEnv)
599+
workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
600+
if err != nil {
612601
return rgName, accountName, accountKey, containerName, authEnv, err
613602
}
603+
azureOAuthTokenFile := filepath.Join(defaultAzureOAuthTokenDir, clientID+accountName)
604+
if err := os.WriteFile(azureOAuthTokenFile, []byte(workloadIdentityToken), 0600); err != nil {
605+
return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write workload identity token file %s: %v", azureOAuthTokenFile, err)
606+
}
607+
608+
authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
609+
if tenantID != "" {
610+
authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
611+
}
612+
authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureOAuthTokenFile)
613+
klog.V(2).Infof("workload identity auth: %v", authEnv)
614+
return rgName, accountName, accountKey, containerName, authEnv, err
615+
}
616+
617+
if clientID != "" {
614618
klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
615619
if subsID == "" {
616620
subsID = d.cloud.SubscriptionID

0 commit comments

Comments
 (0)