Skip to main content

Documentation Index

Fetch the complete documentation index at: https://otel.fyi/llms.txt

Use this file to discover all available pages before exploring further.

Azureauth Extension

Status Available in: contrib Maintainers: @constanca-m Source: opentelemetry-collector-contrib

Overview

This extension implements both extensionauth.HTTPClient and extensionauth.Server, so it can be used in both exporters and receivers. Additionally, the extension also implements azcore.TokenCredential so that Azure components can get the token by running the function GetToken. If the component supports HTTP client, then this should not be necessary, as the token will be placed in the authorization header. It supports 4 different types of authentication:
  • Managed identity for Azure resources
  • Workload identity for Kubernetes
  • Service principal with either a client secret or client certificate path for non Azure.
  • And the default credentials. This is not recommended for production.

Examples

Managed identity

User based: 
extensions:
  azure_auth:
    managed_identity:
      client_id: ${CLIENT_ID}
System based (leave client_id field empty): 
extensions:
  azure_auth:
    managed_identity:

Workload identity

extensions:
  azure_auth:
    workload_identity:
      client_id: ${CLIENT_ID}
      federated_token_file: ${FILE}
      tenant_id: ${TENANT_ID}

Service principal

With client secret: 
extensions:
  azure_auth:
    service_principal:
      client_id: ${CLIENT_ID}
      tenant_id: ${TENANT_ID}
      client_secret: ${CLIENT_SECRET}
With client certificate path: 
extensions:
  azure_auth:
    service_principal:
      client_id: ${CLIENT_ID}
      tenant_id: ${TENANT_ID}
      client_certificate_path: ${CLIENT_CERTIFICATE_PATH}

Default authentication

Not recommended for production. 
extensions:
  azure_auth:
    use_default: true

With custom scopes

You can set custom scopes if the audience required in the token does not match the host you are trying to reach. This is useful for Azure Monitor Workspaces since the workspace hostname is specific to your instance whereas the audience required is https://monitor.azure.com/.default 
extensions:
  azure_auth:
    scopes:
      - https://monitor.azure.com/.default

Configuration

Example Configuration

azure_auth:

azure_auth/use_default:
  use_default: true

azure_auth/valid_service_principal_secret:
  service_principal:
    client_id: test
    client_secret: test
    tenant_id: test

azure_auth/valid_service_principal_certificate:
  service_principal:
    client_id: test
    client_certificate_path: test
    tenant_id: test

azure_auth/service_principal_mutually_exclusive:
  service_principal:
    client_id: test
    client_certificate_path: test
    tenant_id: test
    client_secret: test

azure_auth/service_principal_empty_client_id:
  service_principal:
    client_secret: test
    tenant_id: test

azure_auth/service_principal_empty_tenant_id:
  service_principal:
    client_id: test
    client_secret: test

azure_auth/service_principal_empty_client_credential:
  service_principal:
    client_id: test
    tenant_id: test

azure_auth/valid_workload_identity:
  workload_identity:
    client_id: test
    federated_token_file: test
    tenant_id: test

azure_auth/workload_identity_empty_client_id:
  workload_identity:
    federated_token_file: test
    tenant_id: test

azure_auth/workload_identity_empty_tenant_id:
  workload_identity:
    client_id: test
    federated_token_file: test

azure_auth/workload_identity_empty_federated_token_file:
  workload_identity:
    client_id: test
    tenant_id: test
Last generated: 2026-04-20