Closed alexey-ban closed 1 year ago
Not related to your problem but:
url: Url {
scheme: "https",
cannot_be_a_base: false,
username: "",
password: None,
host: Some(
I do not like logging sensitive information like passwords even in debug
mode. I am curious - could we do something about that?
I do not like logging sensitive information like passwords even in debug mode. I am curious - could we do something about that?
Hmm, I think that might be coming from the upstream azure crate:
2023-05-12T10:14:04.704779Z DEBUG azure_core::policies::transport: the following request will be passed to the transport policy: Request {
Hey @alexey-ban. I'm facing the same problem here. If I use connection_string, it works. Did you manage to resolve this or Vector really didn't work with azure-workload-identity?
Hi @fernandowiek Unfortunately no. Looks like vector didn't work with azure-workload-identity
@alexey-ban I tried to use workload-identity sidecar (https://learn.microsoft.com/en-us/azure/aks/workload-identity-migrate-from-pod-identity#deploy-the-workload-with-migration-sidecar) along with vector, but still not working. I received the message: "Healthcheck failed." error=failed to get bearer token component_kind="sink" component_type="azure_blob"
2023-07-12T22:13:54.617697Z INFO vector::app: Log level is enabled. level="vector=info,codec=info,vrl=info,file_source=info,tower_limit=trace,rdkafka=info,buffers=info,lapin=info,kube=info" 2023-07-12T22:13:54.618435Z INFO vector::app: Loading configs. paths=["/etc/vector"] 2023-07-12T22:13:54.624925Z INFO source{component_kind="source" component_id=kube_log component_type=kubernetes_logs component_name=kube_log}: vector::sources::kubernetes_logs: Obtained Kubernetes Node name to collect logs for (self). self_node_name="aks-default-" 2023-07-12T22:13:54.632052Z INFO source{component_kind="source" component_id=kube_log component_type=kubernetes_logs component_name=kube_log}: vector::sources::kubernetes_logs: Excluding matching files. exclude_paths=["**/*.gz", "**/*.tmp"] 2023-07-12T22:13:54.656506Z INFO vector::topology::running: Running healthchecks. 2023-07-12T22:13:54.656776Z INFO vector: Vector has started. debug="false" version="0.29.1" arch="x86_64" revision="74ae15e 2023-04-20 14:50:42.739094536" 2023-07-12T22:13:54.656857Z INFO vector::app: API is disabled, enable by setting
api.enabledto
trueand use commands like
vector top. 2023-07-12T22:13:54.659534Z INFO source{component_kind="source" component_id=kube_log component_type=kubernetes_logs component_name=kube_log}:file_server: file_source::checkpointer: Loaded checkpoint data. 2023-07-12T22:13:54.659550Z ERROR vector::topology::builder: msg="Healthcheck failed." error=failed to get bearer token component_kind="sink" component_type="azure_blob" component_id=azure_blob component_name=azure_blob
@jszwedko It would be great if this functionality were in Vector's backlog.
Good news @alexey-ban! Using the workload-identity sidecar and disabling the healthcheck on the sink configuration, data is being written to the azure storage container. However, I'm getting a lot of WARN messages that, at least for now, are not causing issues:
2023-07-13T21:35:48.784252Z WARN source{component_kind="source" component_id=kube_log component_type=kubernetes_logs component_name=kube_log}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/0.log 4 2023-07-13T21:44:32.327262Z WARN vector::kubernetes::reflector: Watcher Stream received an error. Retrying. error=WatchFailed(ReadEvents(Custom { kind: Other, error: hyper::Error(Body, hyper::Error(Body, Kind(TimedOut))) })) 3 2023-07-13T21:59:07.661201Z WARN vector::kubernetes::reflector: Watcher Stream received an error. Retrying. error=WatchFailed(ReadEvents(Custom { kind: Other, error: hyper::Error(Body, hyper::Error(Body, Kind(TimedOut))) })) 2 2023-07-13T22:08:24.987531Z WARN vector::kubernetes::reflector: Watcher Stream received an error. Retrying. error=WatchFailed(ReadEvents(Custom { kind: Other, error: hyper::Error(Body, hyper::Error(Body, Os { code: 104, kind: ConnectionReset, message: "Connection reset by peer" })) })) 1 2023-07-13T22:13:20.990182Z WARN vector::kubernetes::reflector: Watcher Stream received an error. Retrying. error=WatchFailed(ReadEvents(Custom { kind: Other, error: hyper::Error(Body, hyper::Error(Body, Kind(TimedOut))) }))
Can azure workload identity be support be implemented natively, because sider car approach is recommended to be not used in production setip
Note
The migration sidecar is not supported for production use. This feature is meant to give you time to migrate your application SDK's to a supported version, and not meant or intended to be a long-term solution.
https://learn.microsoft.com/en-us/azure/aks/workload-identity-migrate-from-pod-identity
Sofar sidecar approach has worked for us but we would very much prefer to use the native capability with in vector to be able to use workload idenity.
Support for azure workload identity was only recently added to the upstream crate (PR). This will be included in the next version of Vector and should work then.
Please re-open this ticket if it still does not work in the next Vector release (v0.33.0).
A note for the community
Problem
Azure blob sink don't work with azure-workload-identity
Configuration
Version
0.29.1
Debug Output
Example Data
No response
Additional Context
Vector agent run as sidecar and try use azure workload identity auth model
Some env in pod for auth. ~ # env | grep AZURE_ AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/ AZURE_CLIENT_ID=###DEL_CRED### AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token AZURE_TENANT_ID=###DEL_CRED###
P.S. This auth have "Contributor" role and tested via python library
References
No response