out_azure_logs_ingestion: add support for Managed Identities #2062
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 tasks
This change updates the documentation to document support for Managed Identities authentication. It tries to align with the documentation style and content for the similar feature for the out_azure_kusto plugin. Signed-off-by: Stefano Boriero <[email protected]>
stefanoboriero
force-pushed
the
azure-log-ingestion-msi
branch
from
15d5f84 to
8f065d6
Compare
esmerel
reviewed
Sep 10, 2025
Comment on lines
+24
to
+46
| ## Authentication Methods | ||
|
|
||
| Fluent-Bit can use various authentication methods to send records to Azure Log Analytics: | ||
|
|
||
| ### Service Principal Authentication (Default) | ||
|
|
||
| For service principal authentication, you'll need to create an Azure AD application: | ||
|
|
||
| - [Register an Application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) | ||
| - [Add a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) | ||
| - [Authorize the app in your database](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/management/access-control/principals-and-identity-providers#azure-ad-tenants) | ||
|
|
||
| Configure Fluent Bit with your application's `tenant_id`, `client_id`, and `client_secret`. | ||
|
|
||
| ### Managed Identity Authentication | ||
|
|
||
| When running on Azure services that support Managed Identities (such as Azure VMs, AKS, or App Service): | ||
|
|
||
| 1. [Assign the managed identity appropriate permissions to your Kusto database](https://learn.microsoft.com/en-us/azure/data-explorer/configure-managed-identities-cluster) | ||
| 2. Configure Fluent Bit with `auth_type` set to `managed_identity` | ||
| 3. For system-assigned identity, set `client_id` to `system` | ||
| 4. For user-assigned identity, set `client_id` to the managed identity's client ID (GUID) | ||
|
|
There was a problem hiding this comment.
Suggested change
| ## Authentication Methods | |
| Fluent-Bit can use various authentication methods to send records to Azure Log Analytics: | |
| ### Service Principal Authentication (Default) | |
| For service principal authentication, you'll need to create an Azure AD application: | |
| - [Register an Application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) | |
| - [Add a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) | |
| - [Authorize the app in your database](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/management/access-control/principals-and-identity-providers#azure-ad-tenants) | |
| Configure Fluent Bit with your application's `tenant_id`, `client_id`, and `client_secret`. | |
| ### Managed Identity Authentication | |
| When running on Azure services that support Managed Identities (such as Azure VMs, AKS, or App Service): | |
| 1. [Assign the managed identity appropriate permissions to your Kusto database](https://learn.microsoft.com/en-us/azure/data-explorer/configure-managed-identities-cluster) | |
| 2. Configure Fluent Bit with `auth_type` set to `managed_identity` | |
| 3. For system-assigned identity, set `client_id` to `system` | |
| 4. For user-assigned identity, set `client_id` to the managed identity's client ID (GUID) | |
| ## Authentication methods | |
| Fluent Bit can use various authentication methods to send records to Azure Log Analytics: | |
| ### Service principal authentication | |
| Service principal authentication is the default method. To use it, you mst create an Azure AD application: | |
| - [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application) | |
| - [Add a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) | |
| - [Authorize the app in your database](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/management/access-control/principals-and-identity-providers#azure-ad-tenants) | |
| Configure Fluent Bit with your application's `tenant_id`, `client_id`, and `client_secret`. | |
| ### Managed identity authentication | |
| When running on Azure services that support managed identities (such as Azure VMs, AKS, or App Service): | |
| 1. [Assign the managed identity appropriate permissions to your Kusto database](https://learn.microsoft.com/en-us/azure/data-explorer/configure-managed-identities-cluster). | |
| 1. Configure Fluent Bit with `auth_type` set to `managed_identity`. | |
| 1. For system-assigned identity, set `client_id` to `system`. | |
| 1. For user-assigned identity, set `client_id` to the managed identity's client ID (GUID). | |
| | :------------ | :------------------------- | :------ | | ||
| | `tenant_id` | The tenant ID of the Azure Active Directory (AAD) application. | _none_ | | ||
| | `client_id` | The client ID of the AAD application. | _none_ | | ||
| | `client_id` | _Required for service_principal and managed_identity auth_ - The client ID of the AAD registered application. When using managed identity authentication, set this to 'system' for system-assigned identity or provide the managed identity's client ID. | _none_ | |
There was a problem hiding this comment.
Suggested change
| | `client_id` | _Required for service_principal and managed_identity auth_ - The client ID of the AAD registered application. When using managed identity authentication, set this to 'system' for system-assigned identity or provide the managed identity's client ID. | _none_ | | |
| | `client_id` | The client ID of the AAD registered application. When using managed identity authentication, set this to `system` for system-assigned identity or provide the managed identity's client ID. Required for `service_principal` and `managed_identity` auth. | _none_ | |
|
|
||
| Use this configuration file to get started: | ||
|
|
||
| #### Service Principal Authentication (Default) |
There was a problem hiding this comment.
Suggested change
| #### Service Principal Authentication (Default) | |
| #### Service principal authentication |
| {% endtab %} | ||
| {% endtabs %} | ||
|
|
||
| #### User assigned Managed Identity Authentication |
There was a problem hiding this comment.
Suggested change
| #### User assigned Managed Identity Authentication | |
| #### User-assigned managed identity authentication |
| {% endtab %} | ||
| {% endtabs %} | ||
|
|
||
| #### System assigned Managed Identity Authentication |
There was a problem hiding this comment.
Suggested change
| #### System assigned Managed Identity Authentication | |
| #### System-assigned managed identity authentication |
esmerel
reviewed
Sep 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change updates the documentation to document support for Managed Identities authentication. It tries to align with the documentation style and content for the similar feature for the out_azure_kusto plugin. The feature is implemented on PR fluent/fluent-bit#10867