Skip to content

Commit d7231a6

Browse files
andyzhangxandyzhangx
committed
cleanup: clientID is not required when mountWithWorkloadIdentityToken
fix log add check
1 parent 1db0745 commit d7231a6

File tree

1 file changed

+24
-17
lines changed

1 file changed

+24
-17
lines changed

pkg/blob/blob.go

Lines changed: 24 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -590,27 +590,34 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
590590
tenantID = d.cloud.TenantID
591591
}
592592

593-
if clientID != "" {
594-
if mountWithWIToken {
595-
klog.V(2).Infof("clientID(%s) is specified, use workload identity for blobfuse auth", clientID)
596-
597-
workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
598-
if err != nil {
599-
return rgName, accountName, accountKey, containerName, authEnv, err
600-
}
601-
azureOAuthTokenFile := filepath.Join(defaultAzureOAuthTokenDir, clientID+accountName)
602-
if err := os.WriteFile(azureOAuthTokenFile, []byte(workloadIdentityToken), 0600); err != nil {
603-
return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write workload identity token file %s: %v", azureOAuthTokenFile, err)
593+
if mountWithWIToken {
594+
if clientID == "" {
595+
clientID = d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID
596+
if clientID == "" {
597+
return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("mountWithWorkloadIdentityToken is true but clientID is not specified")
604598
}
599+
}
600+
klog.V(2).Infof("mountWithWorkloadIdentityToken is specified, use workload identity auth for mount, clientID: %s, tenantID: %s", clientID, tenantID)
605601

606-
authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
607-
if tenantID != "" {
608-
authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
609-
}
610-
authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureOAuthTokenFile)
611-
klog.V(2).Infof("workload identity auth: %v", authEnv)
602+
workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
603+
if err != nil {
612604
return rgName, accountName, accountKey, containerName, authEnv, err
613605
}
606+
azureOAuthTokenFile := filepath.Join(defaultAzureOAuthTokenDir, clientID+accountName)
607+
if err := os.WriteFile(azureOAuthTokenFile, []byte(workloadIdentityToken), 0600); err != nil {
608+
return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write workload identity token file %s: %v", azureOAuthTokenFile, err)
609+
}
610+
611+
authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
612+
if tenantID != "" {
613+
authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
614+
}
615+
authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureOAuthTokenFile)
616+
klog.V(2).Infof("workload identity auth: %v", authEnv)
617+
return rgName, accountName, accountKey, containerName, authEnv, err
618+
}
619+
620+
if clientID != "" {
614621
klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
615622
if subsID == "" {
616623
subsID = d.cloud.SubscriptionID

0 commit comments

Comments
 (0)