fix

andyzhangx · andyzhangx · commit c588551bedc0 · 2025-07-12T02:36:20.000Z
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -162,7 +162,7 @@ const (
 
 	DefaultTokenAudience = "api://AzureADTokenExchange" //nolint:gosec // G101 ignore this!
 
-	defaultAzureFederatedTokenDir = "/var/lib/kubelet/" + DefaultDriverName
+	defaultAzureFederatedTokenDir = "/var/lib/kubelet/plugins/" + DefaultDriverName
 )
 
 var (
@@ -590,15 +590,15 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			}
 			azureFederatedTokenFile := filepath.Join(defaultAzureFederatedTokenDir, clientID)
 			klog.V(2).Infof("write workload identity token to %s", azureFederatedTokenFile)
-			if err := os.WriteFile(azureFederatedTokenFile, []byte(workloadIdentityToken), 0644); err != nil {
+			if err := os.WriteFile(azureFederatedTokenFile, []byte(workloadIdentityToken), 0600); err != nil {
 				return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write azure federated token file %s: %v", azureFederatedTokenFile, err)
 			}
 
 			authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
 			if tenantID != "" {
 				authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
 			}
-			authEnv = append(authEnv, "AZURE_FEDERATED_TOKEN_FILE="+azureFederatedTokenFile)
+			authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureFederatedTokenFile)
 
 			return rgName, accountName, accountKey, containerName, authEnv, err
 		}
diff --git a/pkg/blob/nodeserver_test.go b/pkg/blob/nodeserver_test.go
@@ -244,7 +244,7 @@ func TestNodePublishVolume(t *testing.T) {
 				d.cloud.ResourceGroup = "rg"
 				d.enableBlobMockMount = true
 				// Create the directory for token file
-				_ = makeDir("/var/lib/kubelet/blob.csi.azure.com/")
+				_ = makeDir("/var/lib/kubelet/plugins/blob.csi.azure.com/")
 			},
 			req: &csi.NodePublishVolumeRequest{
 				VolumeCapability:  &csi.VolumeCapability{AccessMode: &volumeCap},

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ const (`
`162`	`162`
`163`	`163`	`DefaultTokenAudience = "api://AzureADTokenExchange" //nolint:gosec // G101 ignore this!`
`164`	`164`
`165`		`- defaultAzureFederatedTokenDir = "/var/lib/kubelet/" + DefaultDriverName`
	`165`	`+ defaultAzureFederatedTokenDir = "/var/lib/kubelet/plugins/" + DefaultDriverName`
`166`	`166`	`)`
`167`	`167`
`168`	`168`	`var (`
`@@ -590,15 +590,15 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr`
`590`	`590`	`}`
`591`	`591`	`azureFederatedTokenFile := filepath.Join(defaultAzureFederatedTokenDir, clientID)`
`592`	`592`	`klog.V(2).Infof("write workload identity token to %s", azureFederatedTokenFile)`
`593`		`- if err := os.WriteFile(azureFederatedTokenFile, []byte(workloadIdentityToken), 0644); err != nil {`
	`593`	`+ if err := os.WriteFile(azureFederatedTokenFile, []byte(workloadIdentityToken), 0600); err != nil {`
`594`	`594`	`return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write azure federated token file %s: %v", azureFederatedTokenFile, err)`
`595`	`595`	`}`
`596`	`596`
`597`	`597`	`authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)`
`598`	`598`	`if tenantID != "" {`
`599`	`599`	`authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)`
`600`	`600`	`}`
`601`		`- authEnv = append(authEnv, "AZURE_FEDERATED_TOKEN_FILE="+azureFederatedTokenFile)`
	`601`	`+ authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureFederatedTokenFile)`
`602`	`602`
`603`	`603`	`return rgName, accountName, accountKey, containerName, authEnv, err`
`604`	`604`	`}`