[Azure App Insights] add support for Client Secret#48880
Conversation
|
This pull request doesn't have a |
🤖 GitHub commentsJust comment with:
|
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
✅ Vale Linting ResultsNo issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
|
@coderabbitai full review |
✅ Actions performedFull review triggered. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds OAuth2 (client secret) authentication to the Azure App Insights Metricbeat module and a changelog fragment. Configuration and docs were updated to include tenant_id, client_id, client_secret, active_directory_endpoint and an auth_type selector while retaining api_key (and documenting api_key auth as the default). The module Config struct gained ApiKey, TenantId, ClientId, ClientSecret, ActiveDirectoryEndpoint fields and a Validate method enforcing complete auth configuration. Service code selects between OAuth2 (token-based) and API-key authorizers, introduces tokenCredentialAuthorizer, and removes the eventClient field. Unit tests were added for config validation and authorizer behavior. The application_id and api_key documented types were changed from []string to string. Suggested labels
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
zmoog
left a comment
There was a problem hiding this comment.
The primary concern with this PR is the overlap between the new azidentity package and the deprecated autorest/appinsights ones.
I’m not sure it's worth the effort to integrate both simultaneously. Is it strictly necessary to support client secret in App Insights right now? It might be better to modernize the stack by removing the deprecated packages first, then add the new authentication options afterward.
Given the upcoming retirement timeline for API key authentication, as discussed, we will proceed with implementing the OAuth2 migration and removing the gating so that existing customers can migrate and then tackle the SDK migrations for it separately. |
Agreed. I would only suggest using the name Client Secret instead of OAuth2. Since this isn't a generic OAuth2 client, using that label could cause confusion and set the wrong expectations for users (as we’ve already seen happen in other contexts). |
🔍 Preview links for changed docs |
|
Workflow run
Root cause: no failure occurred in this run. Tests run/results: GitHub Actions What is this? | From workflow: PR Actions Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
062771a to
24df1e2
Compare
|
I've created a KB with the steps I suppose will be necessary to follow (https://support.elastic.dev/knowledge/view/d076963d). There are some TODOs. If someone can help filling them, we can confirm and make it public too. I wouldn't be against donating it to the docs team for a "how to migrate" section. |
* [Azure App Insights] add support for ouath2 * check that at least one auth is configured * add changelog fragemnt and update docs * small fixes * fix yml files * add auth_type to config * remove sensitive data from debug log * remove redundant log msg * add required roles * remove logger and ctx nil check * add deprecation message and remove active_directory_endpoint * fix doc * add applies_to to docs
* [Azure App Insights] add support for ouath2 * check that at least one auth is configured * add changelog fragemnt and update docs * small fixes * fix yml files * add auth_type to config * remove sensitive data from debug log * remove redundant log msg * add required roles * remove logger and ctx nil check * add deprecation message and remove active_directory_endpoint * fix doc * add applies_to to docs
* [Azure App Insights] add support for ouath2 * check that at least one auth is configured * add changelog fragemnt and update docs * small fixes * fix yml files * add auth_type to config * remove sensitive data from debug log * remove redundant log msg * add required roles * remove logger and ctx nil check * add deprecation message and remove active_directory_endpoint * fix doc * add applies_to to docs
* [Azure App Insights] add support for ouath2 * check that at least one auth is configured * add changelog fragemnt and update docs * small fixes * fix yml files * add auth_type to config * remove sensitive data from debug log * remove redundant log msg * add required roles * remove logger and ctx nil check * add deprecation message and remove active_directory_endpoint * fix doc * add applies_to to docs (cherry picked from commit 73c3663) # Conflicts: # docs/reference/metricbeat/metricbeat-metricset-azure-app_insights.md # docs/reference/metricbeat/metricbeat-module-azure.md # x-pack/metricbeat/module/azure/app_insights/_meta/docs.md
* [Azure App Insights] add support for ouath2 * check that at least one auth is configured * add changelog fragemnt and update docs * small fixes * fix yml files * add auth_type to config * remove sensitive data from debug log * remove redundant log msg * add required roles * remove logger and ctx nil check * add deprecation message and remove active_directory_endpoint * fix doc * add applies_to to docs (cherry picked from commit 73c3663)
* [Azure App Insights] add support for ouath2 * check that at least one auth is configured * add changelog fragemnt and update docs * small fixes * fix yml files * add auth_type to config * remove sensitive data from debug log * remove redundant log msg * add required roles * remove logger and ctx nil check * add deprecation message and remove active_directory_endpoint * fix doc * add applies_to to docs (cherry picked from commit 73c3663)


Proposed commit message
Add support for client secret authentication in Azure App Insights
Checklist
stresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.Disruptive User Impact
Author's Checklist
How to test this PR locally
Related issues
Use cases
Backward Compatibility
Screenshots
Client Secret
Api Key
Logs
Client Secret Logs
{"log.level":"debug","@timestamp":"2026-03-09T16:53:18.731+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":58},"message":"Using client secret authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}> {"log.level":"debug","@timestamp":"2026-03-09T16:53:18.732+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":58},"message":"Using client secret authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2026-03-09T16:53:18.732+0100","log.logger":"azure.app_insights.module","log.origin":{"function":"github.com/elastic/beats/v7/metricbeat/mb/module.(*metricSetWrapper).run","file.name":"module/wrapper.go","file.line":220},"message":"Starting metricSetWrapper[module=azure, name=app_insights, host=]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2026-03-09T16:53:48.735+0100","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*Reporter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"metricbeat","monitoring":{"metrics":{"metricbeat":{"azure":{"app_insights":{"events":1,"success":1}}}},"ecs.version":"1.6.0"}}
Api Key Logs
{"log.level":"debug","@timestamp":"2026-03-09T17:44:53.504+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azu re/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":61},"message":"Using API key authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}> {"log.level":"debug","@timestamp":"2026-03-09T17:44:53.504+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":61},"message":"Using API key authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2026-03-09T17:44:53.504+0100","log.logger":"azure.app_insights.module","log.origin":{"function":"github.com/elastic/beats/v7/metricbeat/mb/module.
(*metricSetWrapper).run","file.name":"module/wrapper.go","file.line":220},"message":"Starting metricSetWrapper[module=azure, name=app_insights,
host=]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2026-03-09T17:48:23.509+0100","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*Repor
ter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"metricbeat","monitoring":{"metrics":{"beat":{"cpu":{"system"
:{"ticks":139,"time":{"ms":7}},"total":{"ticks":447,"time":{"ms":10},"value":447.5425416666666},"user":{"ticks":307,"time":{"ms":2}}},"info":{"ephemeral_id":"22f40622-ddf3-44d8-8549
-df43d4bc5351","uptime":{"ms":210113},"version":"9.4.0"},"memstats":{"gc_next":24875050,"memory_alloc":12452352,"memory_total":146460576,"rss":74399744},"runtime":{"goroutines":21}}
,"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":1,"active":0,"batches":1,"total":1},"read":{"bytes":176,"errors":1},"write":{"bytes":1400,"latency":{"histo
gram":{"count":4,"max":268,"mean":78.75,"median":18,"min":11,"p75":205.5,"p95":268,"p99":268,"p999":268,"stddev":109.30090347293567}},"latency_delta":{"histogram":{"count":1,"max":1
8,"median":18,"min":18,"p99":18}}}},"pipeline":{"clients":1,"events":{"active":0,"published":1,"total":1},"queue":{"acked":1,"added":{"bytes":1595,"events":1},"consumed":{"bytes":15
95,"events":1},"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200,"removed":{"bytes":1595,"events":1}}}},"metricbeat":{"azure":{"app_insights":{"events":1,"succ
ess":1}}},"system":{"load":{"1":3.3511,"15":4.5615,"5":4.0386,"norm":{"1":0.2793,"15":0.3801,"5":0.3365}}}},"ecs.version":"1.6.0"}}