Managed Identity not supported

[vk0125]

Describe the bug
I used managed Identity to access storage account when cortex stores the data. Earlier I used, storage account access key, it worked very well. However, from security point of view, we decided to use managed Identity and for that I am getting errors as below:

Logs:
error loading config from /etc/cortex/cortex.yaml: Error parsing config file: yaml: unmarshal errors:
 line 15: field msi_resource not found in type azure.Config
 line 16: field user_assigned_id not found in type azure.Config

To Reproduce
Steps to reproduce the behavior:

1. Use Helm to start Cortex (version : 1.13.0)
2. Check Pod status
3. If pods are not running , Check logs

Expected behavior
With managed Identity , it should be able to access storage account.

Environment:

• Infrastructure: Kubernetes
• Deployment tool: helm
• User Managed Identity with "StorageAccountBlobContributor" access for the target Storage Account

Additional Context
Config in values-override.yaml

config:
  blocks_storage:
    backend: azure
    azure:
      account_name: StorageAccountName
      account_key: StorageAccountAccessKey
      msi_resource: StorageAcccountEndpointUrl
      user_assigned_id: ManagedIdentityClientId
      container_name: StorageAccountContainerName
      endpoint_suffix: "blob.core.windows.net"

Helm command used:

helm install -f values-override.yaml  \
  --set config.blocks_storage.azure.account_name="<StorageAccoutName>" \
  --set config.blocks_storage.azure.msi_resource="<StorageAccoutEndpointUrl>" \
  --set config.blocks_storage.azure.user_assigned_id="<ManagedIdentityClientId>" \
  --set config.blocks_storage.azure.container_name="<StorageAccoutContainerName>" \
  cortex . --namespace cortex --debug

Due to lack of documentation on Cortex, I found it difficult to know what exactly the msi_resouce value should be.
For msi_resource, I passed the endpoint url in this format: "https://StorageAccoutName.blob.core.windows.net"
Reference1: thanos-io/thanos#3957 (comment)
Reference2: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#azure-storage-resource-id

[alanprot]

Seems we have an open pr about this but maybe was abandoned ?
#4779

[vk0125]

Thanks @alanprot. I hope this issue will get cortex developers' attention.

[alanprot]

PRs are welcome as well :) if that pr has no activity feel free to pick it up :)

[jkroepke]

It's a bit sad, since the values are already documented. https://cortexmetrics.io/docs/configuration/configuration-file/#storage_config

---

Looks like it's already integration into cortex, but not released yet? #4818

[alanprot]

We will be releasing the next cortex version soon..

By any chance can you confirm if the version on master fix your problem? (you can find the latest images from master here: https://quay.io/repository/cortexproject/cortex?tab=tags (quay.io/cortexproject/cortex:master-250f7f3 as for the time of this comment)

[jkroepke]

Yes! I use it now together with https://learn.microsoft.com/en-us/azure/aks/workload-identity-migration-sidecar to have a secured credential-less environment. It works at least in my homelab.

https://github.com/jkroepke/homelab/blob/1e9463058f7c68ab9f7da136e1dad6eea871f68b/aks/argocd/cortex.yaml#L18 for some value examples.

[alanprot]

Nice!! So this should be included in the next release …

[stale]

This issue has been automatically marked as stale because it has not had any activity in the past 60 days. It will be closed in 15 days if no further activity occurs. Thank you for your contributions.

[friedrichg]

Fixed by #4818