-
Notifications
You must be signed in to change notification settings - Fork 183
Barman Cloud and Azure Blob Storage authentication
This is a short guide to authenticating Barman Cloud with Azure Blob Storage.
Barman cloud supports the following environment variables which can be used to authenticate against Azure Blob Storage:
-
AZURE_STORAGE_CONNECTION_STRING: An Azure Storage connection string which contains either an access key or shared access signature token which grants access to the target container. -
AZURE_STORAGE_SAS_TOKEN: An Azure Storage Shared Access Signature token. This can be at the storage container scope or higher. -
AZURE_STORAGE_ACCESS_KEY: An Access Key for the Azure Storage account which owns the target container.
Rather than require users to manage credentials directly, Barman Cloud is able to use Azure Active Directory to authenticate. This can be achieved in either of the following ways:
- Using an Active Directory user and logging in via the Azure CLI.
- Using managed identities.
As well as Barman Cloud and its Azure-specific dependencies (azure-blob-storage and azure-identity) you will also need the Azure CLI.
Log in using the Azure CLI by running the following command and following the instructions:
az login
Now run Barman Cloud and it will automatically find the token, for example:
$ barman-cloud-backup-list https://barmandev1.blob.core.windows.net/mike-barman-test/my-backups test-server --cloud-provider=azure-blob-storage
2021-11-18 18:47:22,495 [2992] WARNING: EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
2021-11-18 18:47:22,806 [2992] WARNING: ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
2021-11-18 18:47:22,806 [2992] WARNING: ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
2021-11-18 18:47:22,808 [2992] WARNING: SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
2021-11-18 18:47:22,826 [2992] WARNING: VisualStudioCodeCredential.get_token failed: Failed to get Azure user details from Visual Studio Code.
Backup ID End Time Begin Wal Archival Status
20211118T132105 2021-11-18 13:21:14 000000020000000000000037
This works, although we can see there is a lot of log noise as the AzureDefaultCredential looks for valid credentials it can try. An additional problem not visible in the above example is that it takes at least 30 seconds for the authentication to complete.
We can improve on things in the future by patching Barman so it specifically uses AzureCliCredential instead of relying on AzureDefaultCredential; this resolves both the output noise and the latency. For now the noise can be suppressed with the -q flag, although there is no immediate workaround for the latency.
Managed identities allow resources within Azure to authenticate against other Azure resources without the need for manual credential management. If Barman Cloud runs on a resource associated with a managed identity (for example a Virtual Machine or Container) and that managed identity has the necessary permissions to access the blob storage container, then Barman Cloud will be able to access the container.
This can be demonstrated using an Azure virtual machine as follows:
- Create an Azure virtual machine.
- Install Barman on the virtual machine using your preferred method.
- Install the python libraries azure-blob-storage and azure-identity (these are not a mandatory dependency of Barman Cloud).
- Create a new managed identity in the
Managed Identitiessection of the Azure portal. - Find your Azure VM in the Azure portal and click on
Settings/Identity. - Click on
User assigned, then+ Addand find the managed identity you created in step 4. - Now find the storage account which owns your target container in the Azure portal. At this point you have a choice in the permissions scope you grant to your managed identity. This could be at the storage account level or the container level. In either case you will need to click
Access Control (IAM)in the portal and useAdd role assignmentto add the following roles to your managed identity: a. Contributor. b. Reader. c. Storage Data Contributor. - Go back to a shell in your VM and run Barman Cloud. It should now automatically authenticate using the managed identity.
The output should look something like this:
$ barman-cloud-backup-list https://barmandev1.blob.core.windows.net/mike-barman-test/my-backups test-server --cloud-provider=azure-blob-storage
2021-11-18 16:37:25,855 [14273] WARNING: EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
Backup ID End Time Begin Wal Archival Status
20211118T132105 2021-11-18 13:21:14 000000020000000000000037
There is less noise in the output than with the Active Directory user although it is still not satisfactory. On the bright side the latency issues experienced when using an Active Directory user did not manifest. Again, Barman can be patched in the future so that we specifically attempt to use ManagedIdentityCredential and in the meantime the -q flag can be used.
Active Directory authentication, either as a user or using a managed identity, works transparently in Barman Cloud as of the current release (2.17) though it is clearly not perfect.
A new option --credential has been merged in issue 396 which can be set to either azure-cli or managed-identity in order to use either the Azure CLI authentication or managed identity authentication respectively. This will be included in the 2.18 release of Barman.