WorkloadIdentity support in AzureDataExplorer exporter #33667
Comments
mipnw
added
enhancement
|
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
@atoulme I see there are 2 PRs that went stale for the same issue. What can I do to move the needle for solving this? |
…emetry#35835) #### Description Add the ability to use the default Azure SDK authentication for the kusto client. This enables users to use workload identity. Links: - https://learn.microsoft.com/azure/developer/go/azure-sdk-authentication?tabs=bash#2-authenticate-with-azure - https://github.com/Azure/azure-kusto-go/blob/11658efc9faad4d0300afdc4af9a19c470b0313a/azkustodata/kcsb.go#L294C1-L298C2 - https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=go #### Link to tracking issue Fixes open-telemetry#33667 #### Testing - `make` - deploy controller in kind cluster using workload identity, send dummy traces and validate that they reach the ADX cluster #### Documentation Split the authentication docs for each mechanism available.
Component(s)
exporter/azuredataexplorer
Is your feature request related to a problem? Please describe.
exporter/azuredataexplorerexporter does not currently have support for Azure WorkloadIdentity.
Applications running on Kubernetes cannot yet securely export to Azure Data Explorer with this exporter. They would have to use a client secret to use this exporter, as opposed to using a managed identity. WorkloadIdentity is basically just another form of managed identity that is specific to Kubernetes. For more information see
Currently if you configure the exporter with
managed_identity_id:systemyou don't get the correct behavior when hosted in Kubernetes, the exporter attempts to pull a token from Azure Instance Metadata Service (i.e. from 169.254.169.254) and there is no such service in Kubernetes, that would only be appropriate on an Azure hosted VM.Describe the solution you'd like
One solution would be to add a new
managed_identity_id=workloadidentityconfiguration and use Azure Kusto Go's ConnectionStringBuilder.WithKubernetesWorkloadIdentity when that option is present instead of the other connectionstring buildsers currently used to handle managed identities.Describe alternatives you've considered
n/a
Additional context
I've forked this repository and created a branch with the proposed solution at https://github.com/mipnw/opentelemetry-collector-contrib/tree/feature/azuredataexplorer_workloadidentity
The text was updated successfully, but these errors were encountered: