Skip to content

Commit e624619

Browse files
zshuang0316claude
zshuang0316
and
claude
committed
docs: azure_blob: document OAuth authentication support
Add new auth_type values (managed_identity, service_principal, workload_identity) and their required configuration parameters (tenant_id, client_id, client_secret, workload_identity_token_file). Add OAuth authentication section with examples for each method. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 3da2d5f commit e624619

File tree

1 file changed

+130
-1
lines changed

1 file changed

+130
-1
lines changed

pipeline/outputs/azure_blob.md

Lines changed: 130 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,14 +23,16 @@ Fluent Bit exposes the following configuration properties.
2323
| Key | Description | Default |
2424
| :------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------- |
2525
| `account_name` | Azure Storage account name. | _none_ |
26-
| `auth_type` | Specify the type to authenticate against the service. Supported values: `key`, `sas`. | `key` |
26+
| `auth_type` | Specify the authentication method. Supported values: `key`, `sas`, `managed_identity`, `service_principal`, `workload_identity`. | `key` |
2727
| `auto_create_container` | If `container_name` doesn't exist in the remote service, enabling this option handles the exception and auto-creates the container. | `true` |
2828
| `azure_blob_buffer_key` | Set the Azure Blob buffer key which needs to be specified when using multiple instances of Azure Blob output plugin and buffering is enabled. | `key` |
2929
| `blob_type` | Specify the desired blob type. Supported values: `appendblob`, `blockblob`. | `appendblob` |
3030
| `blob_uri_length` | Set the length of the generated blob URI used when creating and uploading objects to Azure Blob Storage. | `64` |
3131
| `buffer_dir` | Specifies the location of directory where the buffered data will be stored. | `/tmp/fluent-bit/azure-blob/` |
3232
| `buffer_file_delete_early` | Whether to delete the buffered file early after successful blob creation. | `false` |
3333
| `buffering_enabled` | Enable buffering into disk before ingesting into Azure Blob. | `false` |
34+
| `client_id` | Azure AD application (client) ID. Required for `service_principal` and `workload_identity` auth. For `managed_identity`, set to `system` for system-assigned or provide the client ID for user-assigned. | _none_ |
35+
| `client_secret` | Azure AD client secret. Required for `service_principal` auth. | _none_ |
3436
| `compress` | Sets payload compression in network transfer. Supported values: `gzip`, `zstd`. | _none_ |
3537
| `compress_blob` | Enables compression in the final `blockblob` file. When enabled without `compress`, it uses GZIP; if `compress` is also set, it inherits that codec. This option isn't compatible when `blob_type` = `appendblob`. Fluent Bit returns a configuration error and fails to start. | `false` |
3638
| `configuration_endpoint_bearer_token` | Bearer token for the configuration endpoint. | _none_ |
@@ -52,12 +54,14 @@ Fluent Bit exposes the following configuration properties.
5254
| `scheduler_max_retries` | Maximum number of retries for the scheduler send blob. | `3` |
5355
| `shared_key` | Specify the Azure Storage Shared Key to authenticate against the service. This configuration property is mandatory when `auth_type` is `key`. | _none_ |
5456
| `store_dir_limit_size` | Set the max size of the buffer directory. | `8G` |
57+
| `tenant_id` | Azure AD tenant ID. Required for `service_principal` and `workload_identity` auth. | _none_ |
5558
| `tls` | Enable or disable TLS encryption. Azure service requires this to be set to `on`. | `off` |
5659
| `unify_tag` | Whether to create a single buffer file when buffering mode is enabled. | `false` |
5760
| `upload_file_size` | Specifies the size of files to be uploaded in MB. | `200M` |
5861
| `upload_part_freshness_limit` | Maximum lifespan of an uncommitted file part. | `6D` |
5962
| `upload_parts_timeout` | Timeout for uploading parts of a blob file. | `10M` |
6063
| `upload_timeout` | Optional. Specify a timeout for uploads. Fluent Bit will start ingesting buffer files which have been created more than `x` minutes and haven't reached `upload_file_size` limit yet. | `30m` |
64+
| `workload_identity_token_file` | Path to the federated token file for `workload_identity` auth. | `/var/run/secrets/azure/tokens/azure-identity-token` |
6165
| `workers` | The number of [workers](../../administration/multithreading.md#outputs) to perform flush operations for this output. | `0` |
6266

6367
### Path templating
@@ -89,6 +93,131 @@ pipeline:
8993
9094
If a chunk arrives with the tag `kube.var.log.containers.app-default`, this configuration creates blobs under `kube/app-default/2025/12/16/05/042/abcd1234/...`.
9195

96+
## OAuth authentication
97+
98+
In addition to shared key and SAS token authentication, the Azure Blob plugin supports Azure AD-based authentication using the following methods.
99+
100+
### Managed identity
101+
102+
Use a system-assigned or user-assigned [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) attached to the compute resource running Fluent Bit. No credentials need to be stored in the configuration.
103+
104+
| `auth_type` | `client_id` |
105+
| :----------------- | :--------------------------------------- |
106+
| `managed_identity` | `system` for system-assigned |
107+
| `managed_identity` | Application client ID for user-assigned |
108+
109+
{% tabs %}
110+
{% tab title="fluent-bit.yaml" %}
111+
112+
```yaml
113+
pipeline:
114+
outputs:
115+
- name: azure_blob
116+
match: "*"
117+
account_name: YOUR_ACCOUNT_NAME
118+
auth_type: managed_identity
119+
client_id: system
120+
container_name: logs
121+
tls: on
122+
```
123+
124+
{% endtab %}
125+
{% tab title="fluent-bit.conf" %}
126+
127+
```text
128+
[OUTPUT]
129+
Name azure_blob
130+
Match *
131+
Account_Name YOUR_ACCOUNT_NAME
132+
Auth_Type managed_identity
133+
Client_Id system
134+
Container_Name logs
135+
Tls on
136+
```
137+
138+
{% endtab %}
139+
{% endtabs %}
140+
141+
### Service principal
142+
143+
Authenticate using an Azure AD application registration with a client secret.
144+
145+
{% tabs %}
146+
{% tab title="fluent-bit.yaml" %}
147+
148+
```yaml
149+
pipeline:
150+
outputs:
151+
- name: azure_blob
152+
match: "*"
153+
account_name: YOUR_ACCOUNT_NAME
154+
auth_type: service_principal
155+
tenant_id: YOUR_TENANT_ID
156+
client_id: YOUR_CLIENT_ID
157+
client_secret: YOUR_CLIENT_SECRET
158+
container_name: logs
159+
tls: on
160+
```
161+
162+
{% endtab %}
163+
{% tab title="fluent-bit.conf" %}
164+
165+
```text
166+
[OUTPUT]
167+
Name azure_blob
168+
Match *
169+
Account_Name YOUR_ACCOUNT_NAME
170+
Auth_Type service_principal
171+
Tenant_Id YOUR_TENANT_ID
172+
Client_Id YOUR_CLIENT_ID
173+
Client_Secret YOUR_CLIENT_SECRET
174+
Container_Name logs
175+
Tls on
176+
```
177+
178+
{% endtab %}
179+
{% endtabs %}
180+
181+
### Workload identity
182+
183+
Use [Azure Workload Identity](https://azure.github.io/azure-workload-identity/docs/) to exchange a Kubernetes-projected service account token for an Azure AD access token. This is the recommended approach for workloads running in AKS.
184+
185+
{% tabs %}
186+
{% tab title="fluent-bit.yaml" %}
187+
188+
```yaml
189+
pipeline:
190+
outputs:
191+
- name: azure_blob
192+
match: "*"
193+
account_name: YOUR_ACCOUNT_NAME
194+
auth_type: workload_identity
195+
tenant_id: YOUR_TENANT_ID
196+
client_id: YOUR_CLIENT_ID
197+
container_name: logs
198+
tls: on
199+
```
200+
201+
{% endtab %}
202+
{% tab title="fluent-bit.conf" %}
203+
204+
```text
205+
[OUTPUT]
206+
Name azure_blob
207+
Match *
208+
Account_Name YOUR_ACCOUNT_NAME
209+
Auth_Type workload_identity
210+
Tenant_Id YOUR_TENANT_ID
211+
Client_Id YOUR_CLIENT_ID
212+
Container_Name logs
213+
Tls on
214+
```
215+
216+
{% endtab %}
217+
{% endtabs %}
218+
219+
The `workload_identity_token_file` parameter defaults to `/var/run/secrets/azure/tokens/azure-identity-token`, which is the standard path used by the Azure Workload Identity webhook. Override it only if your environment uses a different path.
220+
92221
## Get started
93222

94223
Fluent Bit can deliver records to the official service or an emulator.

0 commit comments

Comments
 (0)