search

mozilla / sccache

Sccache is a ccache-like tool. It is used as a compiler wrapper and avoids compilation when possible. Sccache has the capability to utilize caching in remote storage environments, including various cloud storage options, or alternatively, in local storage.
Apache License 2.0
5.55k stars 530 forks source link

Azure Active Directory authentication support #1118

Open FooBarWidget opened 2 years ago

FooBarWidget commented 2 years ago

The Azure storage support currently only supports authenticating with shared keys. Sccache should also support Azure Active Directory authentication, in order to support storage accounts that disable shared key authentication.

indygreg commented 2 years ago

I was looking into using Azure blob storage with sccache and wanted to call out that the current method of using shared access keys (as opposed to Azure Active Directory) for authentication is a security issue.

My understanding is shared access keys effectively give you full access to the Azure Storage Account. In AWS parlance it would be granting all permissions on an S3 bucket (and more services since an Azure Storage Account also allows you to do e.g. SMB file shares). Microsoft's docs (e.g. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=azure-portal) strongly advise against using shared access keys because they are so widely scoped.

In order to achieve principle of least privilege and minimize risk to the storage account if the credentials are compromised, Active Directory authentication must be used.

sylvestre commented 4 months ago

@Xuanwo is that something we get from opendal now ?

Xuanwo commented 4 months ago

@Xuanwo is that something we get from opendal now ?

I never tested this. Let me check it out.