docs: azure_blob: document OAuth authentication support by zshuang0316 · Pull Request #2535 · fluent/fluent-bit-docs

zshuang0316 · 2026-04-03T12:45:30Z

Add new auth_type values (managed_identity, service_principal, workload_identity) and their required configuration parameters (tenant_id, client_id, client_secret, workload_identity_token_file). Add OAuth authentication section with examples for each method.

Summary by CodeRabbit

Documentation
- Expanded Azure Blob authentication to include managed identity, service principal, and workload identity alongside existing key and SAS methods.
- Documented Azure AD credential parameters (client ID, client secret, tenant ID, workload identity token file path) and when each is required.
- Added an OAuth authentication section with example configuration snippets and guidance for all supported auth flows.

coderabbitai · 2026-04-03T12:45:44Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ff406af-aa22-4790-a832-c7a10ddfbde4

📥 Commits

Reviewing files that changed from the base of the PR and between a3b339b and 36b91f3.

📒 Files selected for processing (1)

pipeline/outputs/azure_blob.md

✅ Files skipped from review due to trivial changes (1)

pipeline/outputs/azure_blob.md

📝 Walkthrough

Walkthrough

Documentation for the Azure Blob output plugin adds OAuth-based auth modes (managed_identity, service_principal, workload_identity), new Azure AD config options (client_id, client_secret, tenant_id, workload_identity_token_file), and example Fluent Bit configs for those flows; key/sas docs unchanged.

Changes

Azure Blob Authentication Documentation

Layer / File(s)	Summary
OAuth auth types and config fields `pipeline/outputs/azure_blob.md`	Expanded `auth_type` to include `managed_identity`, `service_principal`, `workload_identity`; added Azure AD config keys (`client_id`, `client_secret`, `tenant_id`, `workload_identity_token_file`); added OAuth Authentication section with example `fluent-bit.yaml` and `fluent-bit.conf`. Existing `key`/`sas` docs retained.

Sequence Diagram(s)

sequenceDiagram
    participant FluentBit as Fluent Bit (client)
    participant AzureAD as Azure AD (token endpoint)
    participant Blob as Azure Blob Storage
    FluentBit->>AzureAD: Request token (service_principal / managed_identity / workload_identity)
    AzureAD-->>FluentBit: Return OAuth access_token
    FluentBit->>Blob: PUT/POST blob with Authorization: Bearer <token>
    Blob-->>FluentBit: 201/200 OK

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

docs: outputs: azure_blob: fix defaults, add missing params, fix key casing, fix typo #2414 — Modifies the same azure_blob docs and config keys; overlaps on Azure Blob configuration changes.

Suggested labels

5.0

Suggested reviewers

patrick-stephens
eschabell

Poem

🐰 I hopped through docs with cheer,

Tokens, clients now appear.
Managed, Principal, Workload too,
Fluent Bit speaks AD anew.
🥕📄

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: documenting OAuth authentication support for Azure Blob output plugin.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

eschabell

@zshuang0316 see comments inline on the files changed that need attention before review will pass.

eschabell · 2026-04-07T10:24:42Z


 If a chunk arrives with the tag `kube.var.log.containers.app-default`, this configuration creates blobs under `kube/app-default/2025/12/16/05/042/abcd1234/...`.

+## OAuth authentication


@zshuang0316 use backticks around OAuth to get past vale issues here.

eschabell · 2026-04-07T10:25:26Z


+## OAuth authentication
+
+In addition to shared key and SAS token authentication, the Azure Blob plugin supports Azure AD-based authentication using the following methods.


@zshuang0316 use backticks around SAS, Azure Blob, and Zaure AD to get past vale issues here.

eschabell · 2026-04-07T10:26:18Z

+
+### Workload identity
+
+Use [Azure Workload Identity](https://azure.github.io/azure-workload-identity/docs/) to exchange a Kubernetes-projected service account token for an Azure AD access token. This is the recommended approach for workloads running in AKS.


@zshuang0316 use backticks around Azure AD and AKS to get past vale issues here.

@zshuang0316 looks like you missed this vale issue?

Add new auth_type values (managed_identity, service_principal, workload_identity) and their required configuration parameters (tenant_id, client_id, client_secret, workload_identity_token_file). Add OAuth authentication section with examples for each method. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: zshuang0316 <zshuang0316@163.com>

zshuang0316 · 2026-04-08T09:30:43Z

@zshuang0316 see comments inline on the files changed that need attention before review will pass.

Thanks, updated.

eschabell

@zshuang0316 just one vale issue was missed in your last round of fixes, tackle this one and we're good to go. Thanks for the docs PR work!

eschabell · 2026-05-26T06:01:54Z

+
+### Workload identity
+
+Use [Azure Workload Identity](https://azure.github.io/azure-workload-identity/docs/) to exchange a Kubernetes-projected service account token for an Azure AD access token. This is the recommended approach for workloads running in AKS.


@zshuang0316 looks like you missed this vale issue?

Signed-off-by: zshuang0316 <zshuang0316@163.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

eschabell

@zshuang0316 fixed issues for you, now waiting on code PR merging.

zshuang0316 requested review from a team and eschabell as code owners April 3, 2026 12:45

zshuang0316 force-pushed the azure-blob-oauth-auth branch from e624619 to 05784fb Compare April 3, 2026 12:47

zshuang0316 mentioned this pull request Apr 3, 2026

output_azure: OAuth authentication support for Azure output plugins fluent/fluent-bit#11571

Open

5 tasks

eschabell self-assigned this Apr 7, 2026

eschabell added waiting-on-code-merge waiting-on-review Waiting on a review from mainteners labels Apr 7, 2026

eschabell requested changes Apr 7, 2026

View reviewed changes

zshuang0316 force-pushed the azure-blob-oauth-auth branch from 05784fb to a3b339b Compare April 7, 2026 15:58

eschabell self-requested a review May 26, 2026 06:00

eschabell requested changes May 26, 2026

View reviewed changes

eschabell added waiting-for-user Waiting for user/contributors feedback or requested changes lint-vale-issues and removed lint-vale-issues labels May 26, 2026

docs: azure_blob: wrap Azure AD and AKS in backticks for vale

36b91f3

Signed-off-by: zshuang0316 <zshuang0316@163.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

eschabell removed waiting-for-user Waiting for user/contributors feedback or requested changes waiting-on-review Waiting on a review from mainteners labels May 28, 2026

eschabell approved these changes May 28, 2026

View reviewed changes


		If a chunk arrives with the tag `kube.var.log.containers.app-default`, this configuration creates blobs under `kube/app-default/2025/12/16/05/042/abcd1234/...`.

		## OAuth authentication


		## OAuth authentication

		In addition to shared key and SAS token authentication, the Azure Blob plugin supports Azure AD-based authentication using the following methods.


		### Workload identity

		Use [Azure Workload Identity](https://azure.github.io/azure-workload-identity/docs/) to exchange a Kubernetes-projected service account token for an Azure AD access token. This is the recommended approach for workloads running in AKS.

Conversation

zshuang0316 commented Apr 3, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Possibly related PRs

Suggested labels

Suggested reviewers

Poem

Uh oh!

eschabell left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

eschabell Apr 7, 2026

Choose a reason for hiding this comment

Uh oh!

eschabell Apr 7, 2026

Choose a reason for hiding this comment

Uh oh!

eschabell Apr 7, 2026

Choose a reason for hiding this comment

Uh oh!

eschabell May 26, 2026

Choose a reason for hiding this comment

Uh oh!

zshuang0316 commented Apr 8, 2026

Uh oh!

eschabell left a comment

Choose a reason for hiding this comment

Uh oh!

eschabell May 26, 2026

Choose a reason for hiding this comment

Uh oh!

eschabell left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

zshuang0316 commented Apr 3, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Apr 3, 2026 •

edited

Loading