Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: added token credential to azure-storage if rbac is used #10593

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: added token credential to azure-storage if rbac is used #10593

wants to merge 1 commit into from
+31 −8

Conversation

tago-SE
Copy link

@tago-SE tago-SE commented Jan 15, 2025
edited
Loading

What?

Made the connectionString configuration in storage-azure optional and added an option to use TokenCredential for connecting to StorageClient.

Why?

This enables organizations to move away from connectionString and use RBAC for resource access, as recommended by Azure.

How?

Added credential as an optional configuration and checked for it in the getStorageClient function.

import type { ContainerClient } from '@azure/storage-blob'

import { BlobServiceClient } from '@azure/storage-blob'

import type { AzureStorageOptions } from '../index.js'

let storageClient: ContainerClient | null = null

export function getStorageClient(
  options: Pick<
    AzureStorageOptions,
    'baseURL' | 'connectionString' | 'containerName' | 'credential'
  >,
): ContainerClient {
  if (storageClient) {
    return storageClient
  }
  //
  // Change which firsts checks if the connectionString is present and if not checks if credential is provided otherwise throws.
  const { baseURL, connectionString, containerName, credential } = options
  let blobServiceClient: BlobServiceClient | undefined = undefined
  if (typeof connectionString === 'string') {
    blobServiceClient = BlobServiceClient.fromConnectionString(connectionString)
  } else if (typeof credential === 'object') {
    blobServiceClient = new BlobServiceClient(baseURL, credential, {})
  }
  if (!blobServiceClient) {
    throw new Error('connectionString or credential must be provided')
  }
  //
  storageClient = blobServiceClient.getContainerClient(containerName)
  return storageClient
}

Configuration change example

export default buildConfig({
  collections: [Media, MediaWithPrefix],
  plugins: [
    azureStorage({
      collections: {
        media: true,
        'media-with-prefix': {
          prefix,
        },
      },
      allowContainerCreate: process.env.AZURE_STORAGE_ALLOW_CONTAINER_CREATE === 'true',
      baseURL: process.env.AZURE_STORAGE_ACCOUNT_BASEURL,
    //   connectionString: process.env.AZURE_STORAGE_CONNECTION_STRING,
    credential: new ChainedTokenCredential(
      ...[
        new VisualStudioCodeCredential(),
        new VisualStudioCodeCredential(),
        new DefaultAzureCredential(),
      ], // Or any TokenCredential
containerName: process.env.AZURE_STORAGE_CONTAINER_NAME,
    }),
  ],
})

@tago-SE tago-SE requested a review from denolfe as a code owner January 15, 2025 16:31
@r1tsuu r1tsuu changed the title fix: Added TokenCredential to azure-storage if RBAC is used fix: added TokenCredential to azure-storage if RBAC is used Jan 15, 2025
@tago-SE tago-SE changed the title fix: added TokenCredential to azure-storage if RBAC is used fix: added token credential to azure-storage if rbac is used Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denolfe denolfe Awaiting requested review from denolfe denolfe is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tago-SE