Skip to content

Commit 17d6042

Browse files
Cheruvu.Sahithee.Vaibhav@ibm.comCheruvu.Sahithee.Vaibhav@ibm.com
authored andcommitted
docs: add Azure Blob service principal authentication
Signed-off-by: Cheruvu.Sahithee.Vaibhav@ibm.com <Cheruvu.Sahithee.Vaibhav@ibm.com>
1 parent 5231934 commit 17d6042

1 file changed

Lines changed: 28 additions & 1 deletion

File tree

pipeline/outputs/azure_blob.md

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,14 +23,17 @@ Fluent Bit exposes the following configuration properties.
2323
| Key | Description | Default |
2424
| :------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------- |
2525
| `account_name` | Azure Storage account name. | _none_ |
26-
| `auth_type` | Specify the type to authenticate against the service. Supported values: `key`, `sas`. | `key` |
26+
| `auth_type` | Specify the type to authenticate against the service. Supported values: `key`, `sas`, `service_principal`. | `key` |
2727
| `auto_create_container` | If `container_name` doesn't exist in the remote service, enabling this option handles the exception and auto-creates the container. | `true` |
2828
| `azure_blob_buffer_key` | Set the Azure Blob buffer key which needs to be specified when using multiple instances of Azure Blob output plugin and buffering is enabled. | `key` |
2929
| `blob_type` | Specify the desired blob type. Supported values: `appendblob`, `blockblob`. | `appendblob` |
3030
| `blob_uri_length` | Set the length of the generated blob URI used when creating and uploading objects to Azure Blob Storage. | `64` |
3131
| `buffer_dir` | Specifies the location of directory where the buffered data will be stored. | `/tmp/fluent-bit/azure-blob/` |
3232
| `buffer_file_delete_early` | Whether to delete the buffered file early after successful blob creation. | `false` |
3333
| `buffering_enabled` | Enable buffering into disk before ingesting into Azure Blob. | `false` |
34+
| `client_id` | Microsoft Entra ID application/client ID. Mandatory when `auth_type` is `service_principal`. | _none_ |
35+
| `client_secret` | Microsoft Entra ID client secret. Mandatory when `auth_type` is `service_principal`. | _none_ |
36+
| `tenant_id` | Microsoft Entra ID tenant ID. Mandatory when `auth_type` is `service_principal`. | _none_ |
3437
| `compress` | Sets payload compression in network transfer. Supported values: `gzip`, `zstd`. | _none_ |
3538
| `compress_blob` | Enables compression in the final `blockblob` file. When enabled without `compress`, it uses GZIP; if `compress` is also set, it inherits that codec. This option isn't compatible when `blob_type` = `appendblob`. Fluent Bit returns a configuration error and fails to start. | `false` |
3639
| `configuration_endpoint_bearer_token` | Bearer token for the configuration endpoint. | _none_ |
@@ -60,6 +63,30 @@ Fluent Bit exposes the following configuration properties.
6063
| `upload_timeout` | Optional. Specify a timeout for uploads. Fluent Bit will start ingesting buffer files which have been created more than `x` minutes and haven't reached `upload_file_size` limit yet. | `30m` |
6164
| `workers` | The number of [workers](../../administration/multithreading.md#outputs) to perform flush operations for this output. | `0` |
6265

66+
## Service principal authentication
67+
68+
Azure Blob output supports Microsoft Entra ID service principal authentication. To use this authentication method, set `auth_type` to `service_principal` and provide the required credentials: `tenant_id`, `client_id`, and `client_secret`.
69+
70+
The service principal must have permission to write to the target storage account or container. For example, assign the `Storage Blob Data Contributor` role to the service principal.
71+
72+
Service principal authentication requires TLS to be enabled (`tls` set to `on`).
73+
74+
### Example configuration
75+
76+
```ini
77+
[OUTPUT]
78+
Name azure_blob
79+
Match *
80+
account_name mystorageaccount
81+
container_name logs
82+
blob_type blockblob
83+
auth_type service_principal
84+
tenant_id <tenant-id>
85+
client_id <client-id>
86+
client_secret <client-secret>
87+
tls on
88+
```
89+
6390
### Path templating
6491

6592
When `path` is set, Fluent Bit resolves the value as a template (similar to the Amazon S3 output) before each upload. The resolved prefix is persisted alongside buffered files, so retries and restarts keep writing to the same Azure path. Leading and trailing slashes are removed automatically to avoid duplicate separators.

0 commit comments

Comments
 (0)