discovery: add support for Managed Identity authentication in Azure SD (#4590)

Signed-off-by: Marcel Juhnke <marrat@marrat.de>

config/config_test.go

@@ -449,6 +449,7 @@ var expectedConf = &Config{
 						TenantID:             "BBBB222B-B2B2-2B22-B222-2BB2222BB2B2",
 						ClientID:             "333333CC-3C33-3333-CCC3-33C3CCCCC33C",
 						ClientSecret:         "mysecret",
+						AuthenticationMethod: "OAuth",
 						RefreshInterval:      model.Duration(5 * time.Minute),
 						Port:                 9100,
 					},
@@ -769,6 +770,10 @@ var expectedErrors = []struct {
 		filename: "azure_tenant_id_missing.bad.yml",
 		errMsg:   "Azure SD configuration requires a tenant_id",
 	},
+	{
+		filename: "azure_authentication_method.bad.yml",
+		errMsg:   "Unknown authentication_type \"invalid\". Supported types are \"OAuth\" or \"ManagedIdentity\"",
+	},
 	{
 		filename: "empty_scrape_config.bad.yml",
 		errMsg:   "empty or null scrape config section",

config/testdata/azure_authentication_method.bad.yml

@@ -0,0 +1,4 @@
+scrape_configs:
+- azure_sd_configs:
+  - authentication_method: invalid
+    subscription_id: 11AAAA11-A11A-111A-A111-1111A1111A11

config/testdata/conf.good.yml

@@ -196,6 +196,7 @@ scrape_configs:
 - job_name: service-azure
   azure_sd_configs:
     - environment: AzurePublicCloud
+      authentication_method: OAuth
       subscription_id: 11AAAA11-A11A-111A-A111-1111A1111A11
       tenant_id: BBBB222B-B2B2-2B22-B222-2BB2222BB2B2
       client_id: 333333CC-3C33-3333-CCC3-33C3CCCCC33C

discovery/azure/azure.go

@@ -26,13 +26,11 @@ import (
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
-
 	"github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
 	"github.com/prometheus/client_golang/prometheus"
 	config_util "github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
-
 	"github.com/prometheus/prometheus/discovery/targetgroup"
 	"github.com/prometheus/prometheus/util/strutil"
 )
@@ -47,6 +45,9 @@ const (
 	azureLabelMachinePrivateIP     = azureLabel + "machine_private_ip"
 	azureLabelMachineTag           = azureLabel + "machine_tag_"
 	azureLabelMachineScaleSet      = azureLabel + "machine_scale_set"
+
+	authMethodOAuth           = "OAuth"
+	authMethodManagedIdentity = "ManagedIdentity"
 )
 
 var (
@@ -66,6 +67,7 @@ var (
 		Port:                 80,
 		RefreshInterval:      model.Duration(5 * time.Minute),
 		Environment:          azure.PublicCloud.Name,
+		AuthenticationMethod: authMethodOAuth,
 	}
 )
 
@@ -78,6 +80,7 @@ type SDConfig struct {
 	ClientID             string             `yaml:"client_id,omitempty"`
 	ClientSecret         config_util.Secret `yaml:"client_secret,omitempty"`
 	RefreshInterval      model.Duration     `yaml:"refresh_interval,omitempty"`
+	AuthenticationMethod string             `yaml:"authentication_method,omitempty"`
 }
 
 func validateAuthParam(param, name string) error {
@@ -95,9 +98,12 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	if err != nil {
 		return err
 	}
+
 	if err = validateAuthParam(c.SubscriptionID, "subscription_id"); err != nil {
 		return err
 	}
+
+	if c.AuthenticationMethod == authMethodOAuth {
 		if err = validateAuthParam(c.TenantID, "tenant_id"); err != nil {
 			return err
 		}
@@ -107,6 +113,12 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		if err = validateAuthParam(string(c.ClientSecret), "client_secret"); err != nil {
 			return err
 		}
+	}
+
+	if c.AuthenticationMethod != authMethodOAuth && c.AuthenticationMethod != authMethodManagedIdentity {
+		return fmt.Errorf("Unknown authentication_type %q. Supported types are %q or %q", c.AuthenticationMethod, authMethodOAuth, authMethodManagedIdentity)
+	}
+
 	return nil
 }
 
@@ -186,14 +198,31 @@ func createAzureClient(cfg SDConfig) (azureClient, error) {
 	resourceManagerEndpoint := env.ResourceManagerEndpoint
 
 	var c azureClient
+
+	var spt *adal.ServicePrincipalToken
+
+	switch cfg.AuthenticationMethod {
+	case authMethodManagedIdentity:
+		msiEndpoint, err := adal.GetMSIVMEndpoint()
+		if err != nil {
+			return azureClient{}, err
+		}
+
+		spt, err = adal.NewServicePrincipalTokenFromMSI(msiEndpoint, resourceManagerEndpoint)
+		if err != nil {
+			return azureClient{}, err
+		}
+	case authMethodOAuth:
 		oauthConfig, err := adal.NewOAuthConfig(activeDirectoryEndpoint, cfg.TenantID)
 		if err != nil {
 			return azureClient{}, err
 		}
-	spt, err := adal.NewServicePrincipalToken(*oauthConfig, cfg.ClientID, string(cfg.ClientSecret), resourceManagerEndpoint)
+
+		spt, err = adal.NewServicePrincipalToken(*oauthConfig, cfg.ClientID, string(cfg.ClientSecret), resourceManagerEndpoint)
 		if err != nil {
 			return azureClient{}, err
 		}
+	}
 
 	bearerAuthorizer := autorest.NewBearerAuthorizer(spt)
 

docs/configuration/configuration.md

@@ -274,14 +274,18 @@ See below for the configuration options for Azure discovery:
 # The information to access the Azure API.
 # The Azure environment.
 [ environment: <string> | default = AzurePublicCloud ]
-# The subscription ID.
+
+# The authentication method, either OAuth or ManagedIdentity.
+# See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+[ authentication_method: <string> | default = OAuth]
+# The subscription ID. Always required.
 subscription_id: <string>
-# The tenant ID.
-tenant_id: <string>
-# The client ID.
-client_id: <string>
-# The client secret.
-client_secret: <secret>
+# Optional tenant ID. Only required with authentication_method OAuth.
+[ tenant_id: <string> ]
+# Optional client ID. Only required with authentication_method OAuth.
+[ client_id: <string> ]
+# Optional client secret. Only required with authentication_method OAuth.
+[ client_secret: <secret> ]
 
 # Refresh interval to re-read the instance list.
 [ refresh_interval: <duration> | default = 300s ]