open-telemetry · atoulme · May 14, 2025 · Apr 25, 2025 · Apr 25, 2025 · Apr 25, 2025
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: azuremonitorreceiver
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for azureauthextension as a token provider for azuremonitorreceiver.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [39048]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]
@@ -23,7 +23,8 @@ The following settings are required:
 
 The following settings are optional:
 
-- `credentials` (default = service_principal): Specifies the used authentication method. Supported values are `service_principal`, `workload_identity`, `managed_identity`, `default_credentials`.
+- `auth.authenticator`: Specifies the component ID to use to authenticate requests to Azure API. Use [azureauth extension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/azureauthextension).
+- (Deprecated, use `auth` instead) `credentials` (default = service_principal): Specifies the used authentication method. Supported values are `service_principal`, `workload_identity`, `managed_identity`, `default_credentials`.
 - `resource_groups` (default = none): Filter metrics for specific resource groups, not setting a value will scrape metrics for all resources in the subscription.
 - `services` (default = none): Filter metrics for specific services, not setting a value will scrape metrics for all services integrated with Azure Monitor.
 - `metrics` (default = none): Filter metrics by name and aggregations. Not setting a value will scrape all metrics and their aggregations.
@@ -147,6 +148,21 @@ receivers:
     credentials: "default_credentials"
 ```
 
+[Using `azureauthextension`](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/azureauthextension#azure-authenticator-extension) for authentication:
+
+```yaml
+receivers:
+  azuremonitor:
+    subscription_ids: ["${subscription_id}"]
+    auth:
+      authenticator: azureauth
+
+extensions:
+  azureauth:
+    managed_identity:
+      client_id: ${client_id}
+```
+
 Overriding dimensions for a particular metric:
 
 ```yaml

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 
+	"go.opentelemetry.io/collector/component"
 	"go.opentelemetry.io/collector/scraper/scraperhelper"
 	"go.uber.org/multierr"
 
@@ -242,11 +243,7 @@ type Config struct {
 	Cloud                             string                        `mapstructure:"cloud"`
 	SubscriptionIDs                   []string                      `mapstructure:"subscription_ids"`
 	DiscoverSubscriptions             bool                          `mapstructure:"discover_subscriptions"`
-	Credentials                       string                        `mapstructure:"credentials"`
 	TenantID                          string                        `mapstructure:"tenant_id"`
-	ClientID                          string                        `mapstructure:"client_id"`
-	ClientSecret                      string                        `mapstructure:"client_secret"`
-	FederatedTokenFile                string                        `mapstructure:"federated_token_file"`
 	ResourceGroups                    []string                      `mapstructure:"resource_groups"`
 	Services                          []string                      `mapstructure:"services"`
 	Metrics                           NestedListAlias               `mapstructure:"metrics"`
@@ -257,6 +254,25 @@ type Config struct {
 	AppendTagsAsAttributes            bool                          `mapstructure:"append_tags_as_attributes"`
 	UseBatchAPI                       bool                          `mapstructure:"use_batch_api"`
 	Dimensions                        DimensionsConfig              `mapstructure:"dimensions"`
+
+	// Authentication accepts the component azureauthextension,
+	// and uses it to get an access token to make requests.
+	// Using this, `credentials` and any related fields become
+	// useless.
+	Authentication *AuthConfig `mapstructure:"auth"`
+
+	// Credentials is deprecated.
+	Credentials        string `mapstructure:"credentials"`
+	ClientID           string `mapstructure:"client_id"`
+	ClientSecret       string `mapstructure:"client_secret"`
+	FederatedTokenFile string `mapstructure:"federated_token_file"`
+}
+
+// AuthConfig defines the auth settings for the azure receiver.
+type AuthConfig struct {
+	// AuthenticatorID specifies the name of the azure extension to authenticate the
+	// requests to azure monitor.
+	AuthenticatorID component.ID `mapstructure:"authenticator,omitempty"`
 }
 
 const (
@@ -272,36 +288,39 @@ func (c Config) Validate() (err error) {
 		err = multierr.Append(err, errMissingSubscriptionIDs)
 	}
 
-	switch c.Credentials {
-	case servicePrincipal:
-		if c.TenantID == "" {
-			err = multierr.Append(err, errMissingTenantID)
-		}
+	if c.Authentication == nil {
+		// only matters if there is no auth specified
+		switch c.Credentials {
+		case servicePrincipal:
+			if c.TenantID == "" {
+				err = multierr.Append(err, errMissingTenantID)
+			}
 
-		if c.ClientID == "" {
-			err = multierr.Append(err, errMissingClientID)
-		}
+			if c.ClientID == "" {
+				err = multierr.Append(err, errMissingClientID)
+			}
 
-		if c.ClientSecret == "" {
-			err = multierr.Append(err, errMissingClientSecret)
-		}
-	case workloadIdentity:
-		if c.TenantID == "" {
-			err = multierr.Append(err, errMissingTenantID)
-		}
+			if c.ClientSecret == "" {
+				err = multierr.Append(err, errMissingClientSecret)
+			}
+		case workloadIdentity:
+			if c.TenantID == "" {
+				err = multierr.Append(err, errMissingTenantID)
+			}
 
-		if c.ClientID == "" {
-			err = multierr.Append(err, errMissingClientID)
-		}
+			if c.ClientID == "" {
+				err = multierr.Append(err, errMissingClientID)
+			}
 
-		if c.FederatedTokenFile == "" {
-			err = multierr.Append(err, errMissingFedTokenFile)
-		}
+			if c.FederatedTokenFile == "" {
+				err = multierr.Append(err, errMissingFedTokenFile)
+			}
 
-	case managedIdentity:
-	case defaultCredentials:
-	default:
-		return fmt.Errorf("credentials %v is not supported. supported authentications include [%v,%v,%v,%v]", c.Credentials, servicePrincipal, workloadIdentity, managedIdentity, defaultCredentials)
+		case managedIdentity:
+		case defaultCredentials:
+		default:
+			return fmt.Errorf("credentials %q is not supported. supported authentications include [%v,%v,%v,%v]", c.Credentials, servicePrincipal, workloadIdentity, managedIdentity, defaultCredentials)
+		}
 	}
 
 	if c.Cloud != azureCloud && c.Cloud != azureGovernmentCloud && c.Cloud != azureChinaCloud {

@@ -0,0 +1,132 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package azuremonitorreceiver
+
+import (
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/confmap/confmaptest"
+	"go.opentelemetry.io/collector/confmap/xconfmap"
+
+	"github.com/open-telemetry/opentelemetry-collector-contrib/receiver/azuremonitorreceiver/internal/metadata"
+)
+
+func TestLoadConfig(t *testing.T) {
+	t.Parallel()
+
+	cm, err := confmaptest.LoadConf(filepath.Join("testdata", "config.yaml"))
+	require.NoError(t, err)
+
+	tests := []struct {
+		id          component.ID
+		expected    component.Config
+		expectedErr string
+	}{
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_subscription_ids"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.SubscriptionIDs = []string{"test"}
+				cfg.Credentials = defaultCredentials
+				return cfg
+			}(),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_discover_subscription"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.DiscoverSubscriptions = true
+				cfg.Credentials = defaultCredentials
+				return cfg
+			}(),
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "missing_subscription"),
+			expectedErr: errMissingSubscriptionIDs.Error(),
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_cloud"),
+			expectedErr: errInvalidCloud.Error(),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "missing_service_principal"),
+			expectedErr: fmt.Sprintf(
+				"%s; %s; %s",
+				errMissingTenantID.Error(),
+				errMissingClientID.Error(),
+				errMissingClientSecret.Error(),
+			),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "missing_service_principal"),
+			expectedErr: fmt.Sprintf(
+				"%s; %s; %s",
+				errMissingTenantID.Error(),
+				errMissingClientID.Error(),
+				errMissingClientSecret.Error(),
+			),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "missing_workload_identity"),
+			expectedErr: fmt.Sprintf(
+				"%s; %s; %s",
+				errMissingTenantID.Error(),
+				errMissingClientID.Error(),
+				errMissingFedTokenFile.Error(),
+			),
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "invalid_credentials"),
+			expectedErr: `credentials "invalid" is not supported`,
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_authenticator"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.DiscoverSubscriptions = true
+				cfg.Authentication = &AuthConfig{
+					AuthenticatorID: component.MustNewIDWithName("azureauth", "monitor"),
+				}
+				cfg.Credentials = "does-not-matter"
+				return cfg
+			}(),
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "valid_authenticator_2"),
+			expected: func() component.Config {
+				cfg := createDefaultConfig().(*Config)
+				cfg.DiscoverSubscriptions = true
+				cfg.Authentication = &AuthConfig{
+					AuthenticatorID: component.MustNewID("azureauth"),
+				}
+				cfg.Credentials = "does-not-matter"
+				return cfg
+			}(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.id.Name(), func(t *testing.T) {
+			factory := NewFactory()
+			cfg := factory.CreateDefaultConfig()
+
+			sub, err := cm.Sub(tt.id.String())
+			require.NoError(t, err)
+			require.NoError(t, sub.Unmarshal(cfg))
+
+			err = xconfmap.Validate(cfg)
+			if tt.expectedErr != "" {
+				assert.ErrorContains(t, err, tt.expectedErr)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expected, cfg)
+			}
+		})
+	}
+}
@@ -16,6 +16,7 @@ require (
 	go.opentelemetry.io/collector/component v1.31.1-0.20250501194116-727ae96d6214
 	go.opentelemetry.io/collector/component/componenttest v0.125.1-0.20250501194116-727ae96d6214
 	go.opentelemetry.io/collector/confmap v1.31.1-0.20250501194116-727ae96d6214
+	go.opentelemetry.io/collector/confmap/xconfmap v0.125.1-0.20250501194116-727ae96d6214
 	go.opentelemetry.io/collector/consumer v1.31.1-0.20250501194116-727ae96d6214
 	go.opentelemetry.io/collector/consumer/consumertest v0.125.1-0.20250501194116-727ae96d6214
 	go.opentelemetry.io/collector/pdata v1.31.1-0.20250501194116-727ae96d6214

@@ -134,8 +134,8 @@ type azureScraper struct {
 	clientOptionsResolver ClientOptionsResolver
 }
 
-func (s *azureScraper) start(_ context.Context, _ component.Host) (err error) {
-	if err = s.loadCredentials(); err != nil {
+func (s *azureScraper) start(_ context.Context, host component.Host) (err error) {
+	if err = s.loadCredentials(host); err != nil {
 		return err
 	}
 
@@ -158,7 +158,28 @@ func (s *azureScraper) unloadSubscription(id string) {
 	delete(s.subscriptions, id)
 }
 
-func (s *azureScraper) loadCredentials() (err error) {
+func loadTokenProvider(host component.Host, idAuth component.ID) (azcore.TokenCredential, error) {
+	authExtension, ok := host.GetExtensions()[idAuth]
+	if !ok {
+		return nil, fmt.Errorf("unknown azureauth extension %q", idAuth.String())
+	}
+	credential, ok := authExtension.(azcore.TokenCredential)
+	if !ok {
+		return nil, fmt.Errorf("extension %q does not implement azcore.TokenCredential", idAuth.String())
+	}
+	return credential, nil
+}
+
+func (s *azureScraper) loadCredentials(host component.Host) (err error) {
+	if s.cfg.Authentication != nil {
+		s.settings.Logger.Info("'auth.authenticator' will be used to get the token credential")
+		if s.cred, err = loadTokenProvider(host, s.cfg.Authentication.AuthenticatorID); err != nil {
+			return err
+		}
+		return nil
+	}
+
+	s.settings.Logger.Warn("'credentials' is deprecated, use 'auth.authenticator' instead")
 	switch s.cfg.Credentials {
 	case defaultCredentials:
 		if s.cred, err = s.azDefaultCredentialsFunc(nil); err != nil {