Artifactory supports authentication with Azure Blob Storage using Azure Workload Identity. This method provides a secure, secret-less authentication mechanism for applications running on Azure Kubernetes Service (AKS). It leverages federated identity credentials, removing the need to manage and rotate secrets like SAS tokens or storage account keys within your Artifactory configuration.
Note
Support for Azure Workload Identity is available for Azure Blob Storage V2 Binary Provider in Artifactory version 7.125.4 and later.
Prerequisites
Before configuring Artifactory, ensure the following prerequisites are met in your Azure environment:
You have an Azure Kubernetes Service (AKS) cluster with the Workload Identity feature enabled.
You have created a User-Assigned Managed Identity.
You have established a federated identity credential between the managed identity and the Kubernetes service account that your Artifactory pods are using.
The managed identity has been granted the required permissions (e.g., Storage Blob Data Contributor) on the target Azure Storage Account.
For more information, see Deploy and configure workload identity on an Azure Kubernetes Service (AKS) cluster.
Configuration
To enable authentication via Azure Workload Identity, add the parameter useInstanceCredentials to your azure-blob-storage-v2 provider configuration in the binarystore.xml file and set its value to true, as shown below.
<config version="1">
<chain template="azure-blob-storage-v2-direct"/>
<provider id="azure-blob-storage-v2" type="azure-blob-storage-v2">
<useInstanceCredentials>true</useInstanceCredentials>
<!-- Other Azure Blog Storage configuration parameters -->
</provider>
</config>