Don't use storage account key for object storage if SP or MI is provided

[yvespp]

Implements vmware-tanzu/velero#4267

The plugin no longer uses the storage access key to access the blobs by default. The key is only used if it's configured via AZURE_STORAGE_ACCOUNT_ACCESS_KEY. Therefore "Allow storage account key access" can be disabled on the storage account if using MI or SP.

Changes:

• Switched object_store to the newer azblobclient
• When the storage account access key is not provided delegation SAS instead of service SAS is used.
  • delegation SAS isn't implemented in the azblob client yet so I implemented a simple version in delegationsas.go. This code can be delete once it's implemented in azblob
  • resourceGroupConfigKey and subscriptionIDConfigKey are no longer needed for the object store
• Added an integration test for the object_storage
  • Only runs when the tag integration is specified e.g. go test ./... -tags=integration -v
  • The storage account for the test has to be created separatly.
• Updated README
• Updated deps
  • go 1.17
  • go dependencies
  • busybox image

[sseago]

Just a question around the golang version for now -- I'll look at this in more detail a bit later.

[sseago]

velero still uses go 1.16 on the main branch. We should probably do the same here unless there is a specific need for 1.17 for this plugin.

[sseago]

As above, velero still uses go 1.16 on the main branch. We should probably do the same here unless there is a specific need for 1.17 for this plugin.

[yvespp]

I downgraded it to 1.16 and also added a go setup step to pr.yaml, it seems it was using the preinstalled version before.

[yvespp]

Hi!

Has someone time to review this?
BTW: is there a way to run integration tests against Azure in this repo?

Thanks,
Yves

[yvespp]

Rebased to master.
Any chance this can be merged?

[nxf5025]

This is exactly what we need as well and makes a lot more sense than dealing with access keys when they aren't necessary.

[codecov-commenter]

Codecov Report

Merging #111 (e7efb9e) into main (73d1530) will increase coverage by 1.29%.
The diff coverage is 7.00%.

@@            Coverage Diff             @@
##             main     #111      +/-   ##
==========================================
+ Coverage   12.77%   14.07%   +1.29%     
==========================================
  Files           4        4              
  Lines         626      668      +42     
==========================================
+ Hits           80       94      +14     
- Misses        542      571      +29     
+ Partials        4        3       -1     

Impacted Files	Coverage Δ
velero-plugin-for-microsoft-azure/object_store.go	2.38% <0.54%> (-0.27%)	⬇️
...o-plugin-for-microsoft-azure/volume_snapshotter.go	23.68% <4.44%> (+0.28%)	⬆️
velero-plugin-for-microsoft-azure/common.go	24.59% <55.55%> (+24.59%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[vzabawski]

Does the PR also addresses this issue? vmware-tanzu/velero#4930

[yvespp]

Does the PR also addresses this issue? vmware-tanzu/velero#4930

Yes, ListKeys will be removed with this PR.

[vzabawski]

Awesome! Thank you for your contribution.

[chrisob]

Reliance on Azure storage account shared keys is preventing my org from using Velero, would be great to see this merged ❤️ @ywk253100 @eleanor-millman

[anshulahuja98]

HI @yvespp
I was trying to test out this PR
1 basic flow I was not able to validate - I created a BSL with incorrect params(SA didn't exist)
But the BSL is showing as available. Possibly some underlying layers are not returning errors?
The logs also did not help much debugging

When I created a backup, the following error came in the Backup Status. The BSL was still showing as available

│ completionTimestamp: "2022-09-08T05:12:03Z" ││ expiration: "2022-10-08T05:12:03Z" ││ failureReason: | ││ error checking if backup already exists in object storage: rpc error: code = Unknown desc = ===== RESPONSE ERROR (ErrorCode=AuthorizationPermissionMismatch) ===== ││ Description=, Details: (none) ││ formatVersion: 1.1.0 ││ phase: Failed ││ startTimestamp: "2022-09-08T05:12:03Z" ││ version: 1

[ywk253100]

@yvespp Sorry for the late review.

I have added some comments but haven't reviewed the delegationsas.go yet and I will continue to add comments.

[mimmi-gjems]

Hi! Would be really great if this could be merged sometime soon :) @sseago @ywk253100 @dsu-igeek

[vzabawski]

I second that. This PR will allow me to start using Velero.

[yvespp]

HI @yvespp I was trying to test out this PR 1 basic flow I was not able to validate - I created a BSL with incorrect params(SA didn't exist) But the BSL is showing as available. Possibly some underlying layers are not returning errors? The logs also did not help much debugging

When I created a backup, the following error came in the Backup Status. The BSL was still showing as available

│ completionTimestamp: "2022-09-08T05:12:03Z" ││ expiration: "2022-10-08T05:12:03Z" ││ failureReason: | ││ error checking if backup already exists in object storage: rpc error: code = Unknown desc = ===== RESPONSE ERROR (ErrorCode=AuthorizationPermissionMismatch) ===== ││ Description=, Details: (none) ││ formatVersion: 1.1.0 ││ phase: Failed ││ startTimestamp: "2022-09-08T05:12:03Z" ││ version: 1

Hi @anshulahuja98, do you know how the backup location is verified? I was looking through the code but couldn't find it.

[ywk253100]

@yvespp I added a few comments about the document, please take a look.
And please also resolve the conflicts, rebase and squash the commits

[yvespp]

@yvespp I added a few comments about the document, please take a look. And please also resolve the conflicts, rebase and squash the commits

@ywk253100 I addressed your comments, rebased and squashed.

[ywk253100]

The changes have passed the end-to-end testing running locally. Thanks @yvespp

@sseago Could you take a look at this PR when you are available?

[jkroepke]

Hi all, could the PR released? It looks like this PR is not port of the 1.6.1 version.

Current workaround: Add Reader and Data Access Role in addition to Storage Blob Data Contributor on the storage account to avoid the error ... does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope ...

[yvespp]

Hi all, could the PR released? It looks like this PR is not port of the 1.6.1 version.

Current workaround: Add Reader and Data Access Role in addition to Storage Blob Data Contributor on the storage account to avoid the error ... does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope ...

I think the plan is to release this with the next minor version 1.7.0 and Velero 1.11: #111 (comment)

If you want to try it out you can use my image which includes this pull request: https://hub.docker.com/r/yvespp/velero-plugin-for-microsoft-azure
It's still on 1.6.0 though.

[ywk253100]

@yvespp Thanks
@jkroepke The fix will be available in 1.7. And as the changes introduced by this PR are quite fundamental, we'll not back-port the changes to 1.6

[vikrantoct7]

If this PR is already merged, may i know the plugin version in which this PR is available?

[mkemmerz]

Hello everyone - is there any release date planned for this feature yet? This feature is essential for Azure and I would like to use it :)

[ywk253100]

@vikrantoct7 @mkemmerz This change isn't available in Velero 1.11, please see vmware-tanzu/velero#5984 for details.

But if you guys take backup without Restic/Kopia, the Velero Azure plugin can be configured as work without listing storage account access keys.