Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[exporter/azuremonitor] Enhance AAD Documentation. #29234

Merged
merged 11 commits into from
Nov 16, 2023
19 changes: 9 additions & 10 deletions exporter/azuremonitorexporter/AUTHENTICATION.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,42 +2,41 @@

## Local Authentication

The default authentication mechanism used by the Azure Monitor Exporter is "Local Authentication" - based solely on the Application Insights Instrumentation Key. An example of the exporters section of the configuration is
The default authentication mechanism used by the Azure Monitor Exporter is "Local Authentication", which relies exclusively on the `InstrumentationKey` obtained from the connection string of the Application Insights. Below is an illustrative example of the exporters section in a configuration file:

```yaml
exporters:
azuremonitor:
instrumentation_key: 00000000-0000-0000-0000-000000000000
connection_string: "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://ingestion.azuremonitor.com/"
```

Where the zero guid is replaced with the instrumentation key of your Application Insights instance.
Use the connection string from your Application Insights instance.

The same can be achieved by using an environment variable to hold the key

```yaml
exporters:
azuremonitor:
instrumentation_key: ${env:APP_INSIGHTS_KEY}
connection_string: ${env:APPLICATIONINSIGHTS_CONNECTION_STRING}
```

## AAD/Entra Authentication

Local Authentication can be disabled in [Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication) and an AAD based identity can be used in conjunction with the instrumentation key. The instrumentation key is still required by the Exporter, but it is no long sufficient to just have this in order to import data.
Local Authentication can be disabled in [Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication) and an AAD based identity can be used in conjunction with the instrumentation key.

The Azure Monitor Exporter does not support this approach directly, but it can be used with the [AAD Authentication Proxy](https://github.com/Azure/aad-auth-proxy) from the Azure Monitor product group.

The AAD Auth Proxy is a separate container/side-car that proxies calls to the Application Insights ingestion endpoint and attaches a bearer token to each call, asserting an AAD identity. This identity is managed by a certificate in the container that is registered with a Service Principal in AAD.

To use this, both Azure Monitor Exporter and the AAD Auth Proxy require specific configuration. In the Exporter's configuration, it is necessary to override the default endpoint used to send data to. In the following example, it is assumed the AAD Auth Proxy is listening on localhost:8081.
To integrate this setup, both the Azure Monitor Exporter and the AAD Auth Proxy must be configured appropriately. For the Exporter, replace the ingestion endpoint in the connection string with the proxy endpoint. For instance, if the AAD Auth Proxy listens on localhost:8081, configure as follows:

```yaml
exporters:
azuremonitor:
instrumentation_key: ${env:APP_INSIGHTS_KEY}
endpoint: http://localhost:8081/v2.1/track
connection_string: "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=http://localhost:8081"
```

The key difference is this uses the `v2.1` endpoint, not the standard `v2` one.
The original `IngestionEndpoint` from the connection string needs to be set as the `TARGET_HOST` environment variable in the aad-auth-proxy configuration.

In the docker compose file for AAD Auth Proxy, the following values need to be set:

Expand All @@ -60,7 +59,7 @@ azuremonitor-ingestion-proxy:
```

- `AUDIENCE`: value is the generic Azure Monitor Scope.
- `TARGET_HOST`: the Application Insights IngestionEndpoint value from the Connection String, available in the Azure Portal.
- `TARGET_HOST`: the Application Insights `IngestionEndpoint` value from the Connection String, available in the Azure Portal.
- `AAD_CLIENT_ID`: client id of the service principal representing the AAD identity to use.
- `AAD_TENANT_ID`: id of the AAD Tenant the service principal exists in.
- `AAD_CLIENT_CERTIFICATE_PATH`: path to the .pem certificate file containing the CERTIFICATE and PRIVATE KEY parts of the certificate registered with the service principal.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,6 @@ func getIngestionURL(ingestionEndpoint string) string {
ingestionURL, _ = url.Parse(DefaultIngestionEndpoint)
}

ingestionURL.Path = path.Join(ingestionURL.Path, "/v2/track")
ingestionURL.Path = path.Join(ingestionURL.Path, "/v2.1/track")
rajkumar-rangaraj marked this conversation as resolved.
Show resolved Hide resolved
return ingestionURL.String()
}
10 changes: 5 additions & 5 deletions exporter/azuremonitorexporter/connection_string_parser_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ func TestParseConnectionString(t *testing.T) {
},
want: &ConnectionVars{
InstrumentationKey: "00000000-0000-0000-0000-000000000000",
IngestionURL: "https://ingestion.azuremonitor.com/v2/track",
IngestionURL: "https://ingestion.azuremonitor.com/v2.1/track",
},
wantError: false,
},
Expand All @@ -38,7 +38,7 @@ func TestParseConnectionString(t *testing.T) {
},
want: &ConnectionVars{
InstrumentationKey: "00000000-0000-0000-0000-000000000000",
IngestionURL: DefaultIngestionEndpoint + "v2/track",
IngestionURL: DefaultIngestionEndpoint + "v2.1/track",
},
wantError: false,
},
Expand All @@ -49,7 +49,7 @@ func TestParseConnectionString(t *testing.T) {
},
want: &ConnectionVars{
InstrumentationKey: "00000000-0000-0000-0000-000000000000",
IngestionURL: "https://ingestion.azuremonitor.com/v2/track",
IngestionURL: "https://ingestion.azuremonitor.com/v2.1/track",
},
wantError: false,
},
Expand Down Expand Up @@ -93,7 +93,7 @@ func TestParseConnectionString(t *testing.T) {
},
want: &ConnectionVars{
InstrumentationKey: "00000000-0000-0000-0000-000000000000",
IngestionURL: "https://ingestion.azuremonitor.com/v2/track",
IngestionURL: "https://ingestion.azuremonitor.com/v2.1/track",
},
wantError: false,
},
Expand All @@ -104,7 +104,7 @@ func TestParseConnectionString(t *testing.T) {
},
want: &ConnectionVars{
InstrumentationKey: "00000000-0000-0000-0000-000000000000",
IngestionURL: "https://ingestion.azuremonitor.com/v2/track",
IngestionURL: "https://ingestion.azuremonitor.com/v2.1/track",
},
wantError: false,
},
Expand Down
Loading