Skip to content

Azure Storage authencation failed in ChinaAzureCloud after upgrade from v0.39.2 to v0.41.0 #8728

Open
Open
Azure Storage authencation failed in ChinaAzureCloud after upgrade from v0.39.2 to v0.41.0#8728
@wwyhy

Description

@wwyhy
wwyhy
opened on Mar 25, 2026

Thanos, Prometheus and Golang version used: v0.41.0

Object Storage Provider: Azure

What happened:
Azure storage WorkloadIdentityCredential authenticate is failed in China Azure Cloud after upgrade to v0.41.0, but it is working with same config in version v0.39.2.

I observed the env variable AZURE_AUTHORITY_HOST is point to https://login.chinacloudapi.cn/ or https://login.microsoftonline.com/ in v0.39.2, we have multiple clusters, some are point to https://login.microsoftonline.com/ , some are point to https://login.chinacloudapi.cn/.

But it is point to https://login.microsoftonline.com/ after upgrade to v0.41.0, we have only one cluster is running on v0.41.0. I think it does not matter here, because I tried to set to https://login.chinacloudapi.cn/ is still failed, however, set to https://login.partner.microsoftonline.cn/ is working. so there are some changes/hardcode in SDK.

What you expected to happen: Azure storage WorkloadIdentityCredential authenticate is succeed without issue as v0.39.2

How to reproduce it (as minimally and precisely as possible):

  1. thanos config file(eg, thanos.yaml):
type: AZURE
config:
  storage_account: "thanos"
  container: "thanos"
  endpoint: "blob.core.chinacloudapi.cn"
  max_retries: 0
  1. Start thanos-compact/etc with version v0.41.0

Full logs to relevant components: Thanos-compact (thanos-store/receive/ruler has same issue)

DetailsLogs

``` ts=2026-03-25T03:15:55.047573899Z caller=factory.go:43 level=info msg="loading tracing configuration" ts=2026-03-25T03:15:55.048268322Z caller=factory.go:39 level=info msg="loading bucket configuration" ts=2026-03-25T03:16:00.731750736Z caller=main.go:151 level=error err="DefaultAzureCredential: failed to acquire a token.\nAttempted credentials:\n\tEnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set\n\tWorkloadIdentityCredential: unable to resolve an endpoint: ResolveEndpoints(): TenantDiscoveryResponse: issuer from OIDC discovery 'https://login.partner.microsoftonline.cn/xxx-xxxx-xxxx-xxxx-xxxx/v2.0' does not match authority 'https://login.microsoftonline.com/xxx-xxxx-xxxx-xxxx-xxxx/' or a known pattern\ncreate AZURE client\ngithub.com/thanos-io/objstore/client.NewBucketFromConfig\n\t/go/pkg/mod/github.com/thanos-io/objstore@v0.0.0-20250804093838-71d60dfee488/client/factory.go:81\ngithub.com/thanos-io/objstore/client.NewBucket\n\t/go/pkg/mod/github.com/thanos-io/objstore@v0.0.0-20250804093838-71d60dfee488/client/factory.go:45\nmain.runCompact\n\t/app/cmd/thanos/compact.go:210\nmain.registerCompact.func1\n\t/app/cmd/thanos/compact.go:99\nmain.main\n\t/app/cmd/thanos/main.go:149\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:285\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1693\npreparing compact command failed\nmain.main\n\t/app/cmd/thanos/main.go:151\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:285\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1693" ```

Anything else we need to know:
2. For Loki, there is parameter "environment" to set to ChinaAzureCloud, Ref - https://grafana.com/docs/loki/latest/configure/#azure_storage_config

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions