out_azure_logs_ingestion: add support for Managed Identities

[stefanoboriero]

This change updates the documentation to document support for Managed Identities authentication. It tries to align with the documentation style and content for the similar feature for the out_azure_kusto plugin. The feature is implemented on PR fluent/fluent-bit#10867

Summary by CodeRabbit

• Documentation
  • Added an "Authentication methods" section covering Service Principal and Managed Identity workflows.
  • Inserted a dedicated Service Principal subsection and clarified configuration defaults (compress now defaults to true).
  • Added complete example configurations for user-assigned and system-assigned managed identities in supported formats.

[esmerel]

Stylistic updates for consistency. @fluent/fluent-bit-maintainers should review for technical accuracy.

[esmerel]

Stylistic updates for consistency. @fluent/fluent-bit-maintainers should review for technical accuracy.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3b802aae-57f8-4d00-9137-6d3fd44121db

📥 Commits

Reviewing files that changed from the base of the PR and between e319101 and d85fdf8.

📒 Files selected for processing (1)

• pipeline/outputs/azure_logs_ingestion.md

🚧 Files skipped from review as they are similar to previous changes (1)

• pipeline/outputs/azure_logs_ingestion.md

---

📝 Walkthrough

Walkthrough

The PR updates pipeline/outputs/azure_logs_ingestion.md to document authentication methods (Service Principal and Managed Identity), changes the compress parameter default to true, and adds user-assigned and system-assigned Managed Identity examples in YAML and .conf formats.

Changes

Azure Logs Ingestion Authentication Documentation

Layer / File(s)	Summary
Authentication methods overview and parameter updates pipeline/outputs/azure_logs_ingestion.md	New "Authentication Methods" section introduced describing Service Principal (default) and Managed Identity options; configuration parameters table updated with compress default changed to true.
Service Principal authentication (default) pipeline/outputs/azure_logs_ingestion.md	Inserted a "Service principal authentication" subheading to introduce the default authentication configuration examples.
Managed Identity authentication examples pipeline/outputs/azure_logs_ingestion.md	Added user-assigned and system-assigned Managed Identity documentation with Fluent Bit YAML and .conf examples setting auth_type: managed_identity and correct client_id values; examples show compress: true.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Add Managed Identity (MSI) support for Azure Logs Ingestion output plugin fluent-bit#10777 — Documents auth_type: managed_identity and managed identity examples which match requested MSI/auth_type support.

Possibly related PRs

• fluent/fluent-bit-docs#2413 — Edits to azure_logs_ingestion documentation overlapping on compress default and auth configuration examples.

Suggested labels

5.0

Suggested reviewers

• cosmo0920
• patrick-stephens

Poem

🐰 I hopped through docs with a nibble and grin,
Service principals and identities within,
YAML and .conf now sing in tune,
Compress set true beneath the moon,
Logs hop home safe by morning's brim.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'out_azure_logs_ingestion: add support for Managed Identities' accurately summarizes the main change - adding Managed Identities authentication support to the Azure Logs Ingestion documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pipeline/outputs/azure_logs_ingestion.md (1)

47-61: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add missing auth_type parameter to the configuration table.

The configuration examples use auth_type: managed_identity (lines 193, 232, 275, 314), but this parameter is not documented in the configuration parameters table.

➕ Proposed addition

Add this row to the configuration parameters table after line 51:

| `auth_type` | Set the authentication type: `service_principal` or `managed_identity`. | `service_principal` |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipeline/outputs/azure_logs_ingestion.md` around lines 47 - 61, Add the
missing configuration parameter `auth_type` to the parameters table (the table
that lists `auth_url`, `client_id`, etc.) so it documents the authentication
mode used in examples; include the allowed values (`service_principal` or
`managed_identity`) and set the default to `service_principal`, and place this
row near the other authentication fields (e.g., after `tenant_id` or
`time_generated`) so readers can find it alongside `client_id`, `client_secret`,
and `tenant_id`.

♻️ Duplicate comments (1)

pipeline/outputs/azure_logs_ingestion.md (1)

52-52: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update client_id description to include managed identity usage.

The parameter description should mention that client_id is used differently depending on the authentication type. For managed identity, it should be system for system-assigned identity or the managed identity's client ID (GUID) for user-assigned identity.

📝 Proposed fix

-| `client_id` | The client ID of the AAD application. | _none_ |
+| `client_id` | The client ID of the AAD application. When using managed identity authentication, set this to `system` for system-assigned identity or provide the managed identity's client ID (GUID). Required for `service_principal` and `managed_identity` auth. | _none_ |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipeline/outputs/azure_logs_ingestion.md` at line 52, Update the `client_id`
parameter description to explain its behavior for managed identities: state that
when using managed identity authentication `client_id` should be "system" for
system-assigned identity or the user-assigned managed identity's client ID
(GUID); keep the existing meaning for service principal/OAuth scenarios (the AAD
application/client ID) and clarify which auth type each value corresponds to so
readers know when to use "system" vs a GUID vs the regular client ID.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pipeline/outputs/azure_logs_ingestion.md`:
- Line 42: The current bullet links to Kusto (Azure Data Explorer) managed
identity docs; replace that URL/text with the Log Analytics / Data Collection
Rule (DCR) managed identity documentation and update the link text to instruct
assigning the managed identity permissions to the Data Collection Rule (DCR) for
Azure Monitor Logs ingestion (i.e., swap the Kusto URL and "Kusto database"
wording with the Log Analytics/DCR managed identity docs and "Data Collection
Rule" wording).
- Line 34: The markdown link "[Authorize the app in your database]" points to
Kusto auth docs but should reference Azure Log Analytics/Data Collection Rule
permissions for the Logs Ingestion API; update the link in
azure_logs_ingestion.md to a document about granting permissions to a Data
Collection Rule and the Logs Ingestion API (replace the Kusto link with the Log
Analytics/DCR docs so users are guided to grant DCR ingestion permissions rather
than Kusto DB permissions).
- Around line 313-314: Update the fluent-bit .conf example to use Title_Case for
plugin keys: replace occurrences of "client_id" and "auth_type" with "Client_Id"
and "Auth_Type" respectively (and scan the same .conf block for other lowercase
plugin-specific keys and convert them to Title_Case) so the .conf examples
follow the classic fluent-bit .conf convention while leaving YAML examples
untouched.

---

Outside diff comments:
In `@pipeline/outputs/azure_logs_ingestion.md`:
- Around line 47-61: Add the missing configuration parameter `auth_type` to the
parameters table (the table that lists `auth_url`, `client_id`, etc.) so it
documents the authentication mode used in examples; include the allowed values
(`service_principal` or `managed_identity`) and set the default to
`service_principal`, and place this row near the other authentication fields
(e.g., after `tenant_id` or `time_generated`) so readers can find it alongside
`client_id`, `client_secret`, and `tenant_id`.

---

Duplicate comments:
In `@pipeline/outputs/azure_logs_ingestion.md`:
- Line 52: Update the `client_id` parameter description to explain its behavior
for managed identities: state that when using managed identity authentication
`client_id` should be "system" for system-assigned identity or the user-assigned
managed identity's client ID (GUID); keep the existing meaning for service
principal/OAuth scenarios (the AAD application/client ID) and clarify which auth
type each value corresponds to so readers know when to use "system" vs a GUID vs
the regular client ID.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d07ca1cb-d693-437b-a753-ac488dd93117

📥 Commits

Reviewing files that changed from the base of the PR and between 6b742a6 and c7bf5b0.

📒 Files selected for processing (1)

• pipeline/outputs/azure_logs_ingestion.md

[eschabell]

@stefanoboriero thanks so much for the docs PR, just a few trivial vale issues I tagged that need your attention. Update these and tag me to re-review.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

pipeline/outputs/azure_logs_ingestion.md (3)

49-61: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add missing auth_type parameter to configuration table.

The new authentication examples use auth_type: managed_identity, but this parameter is not documented in the configuration parameters table. Users need to know the available values and default.

📝 Proposed addition

Add this row after the auth_url row:

| `auth_type` | The authentication method: `service_principal` or `managed_identity`. | `service_principal` |

Based on learnings: The azure_kusto plugin documents auth_type with values including service_principal, managed_identity, and workload_identity, with service_principal as default.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipeline/outputs/azure_logs_ingestion.md` around lines 49 - 61, The config
table is missing the auth_type parameter used by the examples; add a new row for
`auth_type` (placed after `auth_url`) describing allowed values and default,
e.g. "The authentication method: `service_principal`, `managed_identity`, or
`workload_identity`" with default `service_principal`, mirroring how `auth_type`
is documented in the azure_kusto plugin; update the Parameters table entries
(`auth_url`, `auth_type`) so the examples using `auth_type: managed_identity`
are covered.

---

52-52: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update client_id description to document managed identity usage.

The current description only mentions "The client ID of the AAD application," but doesn't explain that for managed identity authentication, this field has special semantics: system for system-assigned identity or the managed identity's client ID (GUID) for user-assigned identity.

📝 Proposed fix

-| `client_id` | The client ID of the AAD application. | _none_ |
+| `client_id` | The client ID of the AAD application. When using managed identity authentication, set this to `system` for system-assigned identity or provide the managed identity's client ID (GUID) for user-assigned identity. | _none_ |

Based on learnings: The azure_kusto plugin documents client_id with similar semantics for managed identity: "use system as client_id for system-assigned identity, or specify the managed identity's client ID."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipeline/outputs/azure_logs_ingestion.md` at line 52, Update the `client_id`
description to document managed identity semantics: state that `client_id` can
be "system" to use the system-assigned managed identity or the specific managed
identity's client ID (GUID) for a user-assigned identity, mirroring the
azure_kusto plugin wording; edit the line defining `client_id` in
pipeline/outputs/azure_logs_ingestion.md so the description clearly mentions
these two modes and the expected values ("system" or the managed identity GUID).

---

231-237: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use Title_Case for plugin keys in .conf format.

The .conf format should use Title_Case for plugin-specific keys. Lines 231-237 use lowercase client_id, auth_type, dce_url, dcr_id, table_name, time_generated, and time_key, but these should be Title_Case.

🔧 Proposed fix

-  client_id       XXXXXXXX-xxxx-yyyy-zzzz-xxxxyyyyzzzzxyzz
-  auth_type       managed_identity
-  dce_url         https://log-analytics-dce-XXXX.region-code.ingest.monitor.azure.com
-  dcr_id          dcr-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-  table_name      ladcr_CL
-  time_generated  true
-  time_key        Time
+  Client_Id       XXXXXXXX-xxxx-yyyy-zzzz-xxxxyyyyzzzzxyzz
+  Auth_Type       managed_identity
+  Dce_Url         https://log-analytics-dce-XXXX.region-code.ingest.monitor.azure.com
+  Dcr_Id          dcr-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+  Table_Name      ladcr_CL
+  Time_Generated  true
+  Time_Key        Time

Based on learnings: classic fluent-bit.conf examples use Title_Case for plugin-specific keys (e.g., Client_Id, Auth_Type), while YAML fluent-bit.yaml examples use snake_case lowercase keys (e.g., client_id, auth_type).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipeline/outputs/azure_logs_ingestion.md` around lines 231 - 237, The plugin
keys in the .conf snippet are using snake_case but must be Title_Case for
fluent-bit .conf files; update each key shown (client_id, auth_type, dce_url,
dcr_id, table_name, time_generated, time_key) to Title_Case (e.g., Client_Id,
Auth_Type, Dce_Url, Dcr_Id, Table_Name, Time_Generated, Time_Key) so the
plugin-specific keys follow the .conf convention.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pipeline/outputs/azure_logs_ingestion.md`:
- Line 30: Fix the typo in the documentation sentence that reads "Service
principal authentication is the default method. To use it, you mst create an
Azure AD application:" by changing "mst" to "must" so the sentence becomes "To
use it, you must create an Azure AD application:"; update the text in
pipeline/outputs/azure_logs_ingestion.md where this exact phrase occurs.

---

Outside diff comments:
In `@pipeline/outputs/azure_logs_ingestion.md`:
- Around line 49-61: The config table is missing the auth_type parameter used by
the examples; add a new row for `auth_type` (placed after `auth_url`) describing
allowed values and default, e.g. "The authentication method:
`service_principal`, `managed_identity`, or `workload_identity`" with default
`service_principal`, mirroring how `auth_type` is documented in the azure_kusto
plugin; update the Parameters table entries (`auth_url`, `auth_type`) so the
examples using `auth_type: managed_identity` are covered.
- Line 52: Update the `client_id` description to document managed identity
semantics: state that `client_id` can be "system" to use the system-assigned
managed identity or the specific managed identity's client ID (GUID) for a
user-assigned identity, mirroring the azure_kusto plugin wording; edit the line
defining `client_id` in pipeline/outputs/azure_logs_ingestion.md so the
description clearly mentions these two modes and the expected values ("system"
or the managed identity GUID).
- Around line 231-237: The plugin keys in the .conf snippet are using snake_case
but must be Title_Case for fluent-bit .conf files; update each key shown
(client_id, auth_type, dce_url, dcr_id, table_name, time_generated, time_key) to
Title_Case (e.g., Client_Id, Auth_Type, Dce_Url, Dcr_Id, Table_Name,
Time_Generated, Time_Key) so the plugin-specific keys follow the .conf
convention.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7c456c98-4836-4328-b059-b8478f5adc2b

📥 Commits

Reviewing files that changed from the base of the PR and between c7bf5b0 and e319101.

📒 Files selected for processing (1)

• pipeline/outputs/azure_logs_ingestion.md

[eschabell]

@stefanoboriero pushed fixes for all the vale and AI review issues.

[eschabell]

@stefanoboriero just waiting now on code PR merging.