Support repository-azure snapshot plugin with "managed identity"

[Leaf-Lin]

Description

Microsoft is recommending Managed Identities as a superior way of authorizing access.

• https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-managed-identity
• https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

Azure Blob Storage supports Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to blob data using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.

---

I think this issue is different from #69075 where it requests https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity for Kubernetes Service only. But if we can resolve these two issues with a similar approach, that would be great.

[elasticsearchmachine]

Pinging @elastic/es-distributed (Team:Distributed)

[artificial-aidan]

I put together a POC on a fork here.

First time working in Java, and this repo is pretty complicated, but it's working for me. Maybe somebody could take over who is more familiar, or help me work through some of the non-code changes needed.

I think it could be done more cleanly but adding new settings and whatnot, but as a first time contribution, that wasn't as well documented at first glance.

[artificial-aidan]

Bump? Any thoughts, should I open a PR?

[horvatal]

I would try a PR, than it gets more visible to the maintainers ;-)

[sabarishkre]

@artificial-aidan Any PR out yet?

[artificial-aidan]

No, but I've been running the code in production since I made this issue, no problems.

[sabarishkre]

You mean you've been running a build from your repo/branch, containing your changes to support workload identity, in production?
If yes, can you provide some more details - does it work with AKS having pod identities as well? Thanks!

[artificial-aidan]

You mean you've been running a build from your repo/branch, containing your changes to support workload identity, in production?
If yes, can you provide some more details - does it work with AKS having pod identities as well? Thanks!

I do not use pod identities, but it might work. It just uses the default methods of loading credentials. For workload identities it works fine.