Xuanwo · Xuanwo · Jun 7, 2024 · Jun 7, 2024 · Jun 7, 2024 · Jun 7, 2024
diff --git a/src/azure/storage/config.rs b/src/azure/storage/config.rs
@@ -1,5 +1,5 @@
+use std::collections::HashMap;
 use std::env;
-use std::{collections::HashMap, fs};
 
 /// Config carries all the configuration for Azure Storage services.
 #[derive(Clone, Default)]
@@ -48,12 +48,12 @@ pub struct Config {
  ///
  /// This is part of use AAD(Azure Active Directory) authenticate on Azure VM
  pub endpoint: Option<String>,
- /// `federated_token` value will be loaded from:
+ /// `federated_token_file` value will be loaded from:
  ///
  /// - this field if it's `is_some`
- /// - env value: [`AZURE_FEDERATED_TOKEN`]
- /// - profile config: `federated_toen_file`
- pub federated_token: Option<String>,
+ /// - env value: [`AZURE_FEDERATED_TOKEN_FILE`]
+ /// - profile config: `federated_token_file`
+ pub federated_token_file: Option<String>,
  /// `tenant_id` value will be loaded from:
  ///
  /// - this field if it's `is_some`
@@ -68,7 +68,6 @@ pub struct Config {
  pub authority_host: Option<String>,
 }
 
-pub const AZURE_FEDERATED_TOKEN: &str = "AZURE_FEDERATED_TOKEN";
 pub const AZURE_FEDERATED_TOKEN_FILE: &str = "AZURE_FEDERATED_TOKEN_FILE";
 pub const AZURE_TENANT_ID: &str = "AZURE_TENANT_ID";
 pub const AZURE_CLIENT_ID: &str = "AZURE_CLIENT_ID";
@@ -85,11 +84,7 @@ impl Config {
 
  // federated_token can be loaded from both `AZURE_FEDERATED_TOKEN` and `AZURE_FEDERATED_TOKEN_FILE`.
  if let Some(v) = envs.get(AZURE_FEDERATED_TOKEN_FILE) {
- self.federated_token = Some(fs::read_to_string(v).unwrap_or_default());
- }
-
- if let Some(v) = envs.get(AZURE_FEDERATED_TOKEN) {
- self.federated_token = Some(v.to_string());
+ self.federated_token_file = Some(v.to_string());
  }
 
  if let Some(v) = envs.get(AZURE_TENANT_ID) {

diff --git a/src/azure/storage/workload_identity_credential.rs b/src/azure/storage/workload_identity_credential.rs
@@ -1,4 +1,4 @@
-use std::str;
+use std::{fs, str};
 
 use http::HeaderValue;
 use http::Method;
@@ -15,17 +15,19 @@ const STORAGE_TOKEN_SCOPE: &str = "https://storage.azure.com/.default";
 ///
 /// See <https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal,http#using-the-rest-protocol>
 pub async fn get_workload_identity_token(config: &Config) -> anyhow::Result<Option<LoginResponse>> {
- let (token, tenant_id, client_id, authority_host) = match (
- &config.federated_token,
+ let (token_file, tenant_id, client_id, authority_host) = match (
+ &config.federated_token_file,
  &config.tenant_id,
  &config.client_id,
  &config.authority_host,
  ) {
- (Some(token), Some(tenant_id), Some(client_id), Some(authority_host)) => {
- (token, tenant_id, client_id, authority_host)
+ (Some(token_file), Some(tenant_id), Some(client_id), Some(authority_host)) => {
+ (token_file, tenant_id, client_id, authority_host)
  }
  _ => return Ok(None),
  };
+
+ let token = fs::read_to_string(token_file)?;
  let url = Url::parse(authority_host)?.join(&format!("/{tenant_id}/oauth2/v2.0/token"))?;
  let scopes: &[&str] = &[STORAGE_TOKEN_SCOPE];
  let encoded_body: String = form_urlencoded::Serializer::new(String::new())
@@ -35,7 +37,7 @@ pub async fn get_workload_identity_token(config: &Config) -> anyhow::Result<Opti
  "client_assertion_type",
  "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
  )
- .append_pair("client_assertion", token)
+ .append_pair("client_assertion", &token)
  .append_pair("grant_type", "client_credentials")
  .finish();
 
@@ -57,7 +59,7 @@ pub async fn get_workload_identity_token(config: &Config) -> anyhow::Result<Opti
 
  if !rsp_status.is_success() {
  return Err(anyhow::anyhow!(
- "Failed to get token from working identity credential, rsp_status = {}, rsp_body = {}",
+ "Failed to get token from workload identity credential, rsp_status = {}, rsp_body = {}",
  rsp_status,
  rsp_body
  ));