Add support for Azure Managed Identities in cache
What does this MR do?
This adds support for Azure Managed Identities in cache. This merge request allows AccountKey
to be omitted from the config file. When the account key is omitted, when the runner wants to upload a Azure blob it retrieves the credentials from the metadata instance endpoint. As a result, we need to pass the request context along.
Why was this MR needed?
This feature allows admins to omit the account key and use temporary credentials to access the cache. This is similar to AWS's IAM profile.
What's the best way to test this MR?
- Set up an Azure Storage Blob container (
portal.azure.com
). - Create a VM. Under the
Management
tab click onEnable system assigned managed identity
:
- In the Azure portal, click on
Resource groups
. - Select your resource group and then
Access control (IAM)
. - Click
Add
->Add role assignment
. - Search
Blob
in the field, selectStorage Data Blob Owner
, and click onNext
:
- Click on the
Members
tab ->Assign access to
->Managed identity
. - On the right tab, use the dropdown to select
Managed identity
->Virtual machine
:
- Search for the VM that you created, click on it, click
Select
, andReview and assign
. - Once that has selected, edit your
config.toml
to include theContainerName
andAccountName
. RemoveAccountKey
if it is present:
[runners.cache]
MaxUploadedArchiveSize = 0
Type = "azure"
[runners.cache.s3]
[runners.cache.gcs]
[runners.cache.azure]
ContainerName = "test1"
AccountName = "YOUR-AZURE-ACCOUNT-NAME"
- Now run a CI job that uses the cache:
default:
script:
- echo "hello world" > test.txt
cache:
paths:
- test.txt
What are the relevant issue numbers?
Relates to #27303 (closed)
Edited by Stan Hu