feat(storage-azure): add support for user-managed identities

Author: pbr1111

packages/storage-azure/README.md

@@ -40,14 +40,47 @@ export default buildConfig({
 })
 ```
 
+### Authentication methods
+
+Azure Blob Storage supports different authentication methods. Choose the one that best fits your deployment environment.
+
+#### Connection string
+
+Use Azure Storage connection string for straightforward authentication:
+
+```ts
+azureStorage({
+  baseURL: process.env.AZURE_STORAGE_ACCOUNT_BASEURL,
+  connectionString: process.env.AZURE_STORAGE_CONNECTION_STRING,
+  containerName: process.env.AZURE_STORAGE_CONTAINER_NAME,
+})
+```
+
+#### Azure credentials
+
+Use Azure Identity credentials for enhanced security with managed identities:
+
+```ts
+import { DefaultAzureCredential } from '@azure/identity'
+
+azureStorage({
+  baseURL: process.env.AZURE_STORAGE_ACCOUNT_BASEURL,
+  credentials: new DefaultAzureCredential(),
+  containerName: process.env.AZURE_STORAGE_CONTAINER_NAME,
+})
+```
+
+**Note:** When using User Managed Identity, set the `AZURE_CLIENT_ID` environment variable with your managed identity's client ID.
+
 ### Configuration Options
 
-| Option                 | Description                                                              | Default |
-| ---------------------- | ------------------------------------------------------------------------ | ------- |
-| `enabled`              | Whether or not to enable the plugin                                      | `true`  |
-| `collections`          | Collections to apply the Azure Blob adapter to                           |         |
-| `allowContainerCreate` | Whether or not to allow the container to be created if it does not exist | `false` |
-| `baseURL`              | Base URL for the Azure Blob storage account                              |         |
-| `connectionString`     | Azure Blob storage connection string                                     |         |
-| `containerName`        | Azure Blob storage container name                                        |         |
-| `clientUploads`        | Do uploads directly on the client to bypass limits on Vercel.            |         |
+| Option                 | Description                                                                                              | Default |
+| ---------------------- | -------------------------------------------------------------------------------------------------------- | ------- |
+| `enabled`              | Whether or not to enable the plugin                                                                      | `true`  |
+| `collections`          | Collections to apply the Azure Blob adapter to                                                           |         |
+| `allowContainerCreate` | Whether or not to allow the container to be created if it does not exist                                 | `false` |
+| `baseURL`              | Base URL for the Azure Blob storage account (required when using credentials)                            |         |
+| `connectionString`     | Azure Blob storage connection string (alternative to credentials + baseURL)                              |         |
+| `credentials`          | Azure TokenCredential for authentication (e.g., DefaultAzureCredential). Alternative to connectionString |         |
+| `containerName`        | Azure Blob storage container name                                                                        |         |
+| `clientUploads`        | Do uploads directly on the client to bypass limits on Vercel.                                            |         |

packages/storage-azure/package.json

@@ -48,6 +48,7 @@
   },
   "dependencies": {
     "@azure/abort-controller": "^1.1.0",
+    "@azure/identity": "^4.11.1",
     "@azure/storage-blob": "^12.11.0",
     "@payloadcms/plugin-cloud-storage": "workspace:*",
     "range-parser": "^1.2.1"

packages/storage-azure/src/index.ts

@@ -1,3 +1,4 @@
+import type { TokenCredential } from '@azure/identity'
 import type { ContainerClient } from '@azure/storage-blob'
 import type {
   Adapter,
@@ -42,15 +43,21 @@ export type AzureStorageOptions = {
   collections: Partial<Record<UploadCollectionSlug, Omit<CollectionOptions, 'adapter'> | true>>
 
   /**
-   * Azure Blob storage connection string
+   * Azure Blob storage connection string (when using connection string authentication)
    */
-  connectionString: string
+  connectionString?: string
 
   /**
    * Azure Blob storage container name
    */
   containerName: string
 
+  /**
+   * Azure Blob storage credentials (alternative to connectionString)
+   * Use this for UMI (User Managed Identity) or other Azure identity-based authentication
+   */
+  credentials?: TokenCredential
+
   /**
    * Whether or not to enable the plugin
    *
@@ -66,8 +73,10 @@ export const azureStorage: AzureStoragePlugin =
   (incomingConfig: Config): Config => {
     const getStorageClient = () =>
       getStorageClientFunc({
+        baseURL: azureStorageOptions.baseURL,
         connectionString: azureStorageOptions.connectionString,
         containerName: azureStorageOptions.containerName,
+        credentials: azureStorageOptions.credentials,
       })
 
     const isPluginDisabled = azureStorageOptions.enabled === false
@@ -140,10 +149,16 @@ function azureStorageInternal(
     clientUploads,
     connectionString,
     containerName,
+    credentials,
   }: AzureStorageOptions,
 ): Adapter {
   const createContainerIfNotExists = () => {
-    void getStorageClientFunc({ connectionString, containerName }).createIfNotExists({
+    void getStorageClientFunc({
+      baseURL,
+      connectionString,
+      containerName,
+      credentials,
+    }).createIfNotExists({
       access: 'blob',
     })
   }

packages/storage-azure/src/utils/getStorageClient.ts

@@ -7,15 +7,29 @@ import type { AzureStorageOptions } from '../index.js'
 let storageClient: ContainerClient | null = null
 
 export function getStorageClient(
-  options: Pick<AzureStorageOptions, 'connectionString' | 'containerName'>,
+  options: Pick<
+    AzureStorageOptions,
+    'baseURL' | 'connectionString' | 'containerName' | 'credentials'
+  >,
 ): ContainerClient {
   if (storageClient) {
     return storageClient
   }
 
-  const { connectionString, containerName } = options
+  const { baseURL, connectionString, containerName, credentials } = options
+
+  let blobServiceClient: BlobServiceClient
+
+  if (credentials) {
+    blobServiceClient = new BlobServiceClient(baseURL, credentials)
+  } else if (connectionString) {
+    blobServiceClient = BlobServiceClient.fromConnectionString(connectionString)
+  } else {
+    throw new Error(
+      'Azure Storage: Either provide a connectionString or credentials for authentication',
+    )
+  }
 
-  const blobServiceClient = BlobServiceClient.fromConnectionString(connectionString)
   storageClient = blobServiceClient.getContainerClient(containerName)
   return storageClient
 }