When load testing Azure Blob Storage with K6, you need to authenticate against Azure's services. Azure Blob Storage supports multiple authentication methods, and the most commonly used ones are:
1. Shared Key Authentication
This is based on an account key, which grants full access to the storage account. It's easy to implement but less secure because sharing or exposing the key compromises the entire account.
Steps:
1. Generate a Shared Key Authorization header in your K6 script.
2. Add the necessary headers, including the x-ms-date and x-ms-version.
Example Script:
2. Azure Active Directory (AAD) Authentication
This is a more secure and modern authentication method. It uses OAuth 2.0 tokens acquired from Azure AD.
Steps:
1. Register an application in Azure AD and grant it appropriate permissions.
2. Obtain an OAuth 2.0 token using Azure AD's endpoint.
3. Include the Authorization: Bearer <token> header in your K6 script.
Example Script with AAD:
3. Shared Access Signature (SAS)
SAS tokens allow granular access to a resource (e.g., a specific blob or container) for a limited time.
Steps:
1. Generate a SAS token from the Azure portal or CLI.
2. Append the SAS token to the URL.
Example Script with SAS:
4. Managed Identity (for Azure-hosted Environments)
If your K6 test runs in an Azure VM or Azure Function with a managed identity:
1. Use the identity to request an access token from Azure Instance Metadata Service (IMDS).
2. Use the token in the Authorization: Bearer <token> header.
---
Which Method Should You Use?
Development/Testing: Shared Key or SAS (easier to set up).
Production: Azure AD or Managed Identity for better security.
1. Shared Key Authentication
This is based on an account key, which grants full access to the storage account. It's easy to implement but less secure because sharing or exposing the key compromises the entire account.
Steps:
1. Generate a Shared Key Authorization header in your K6 script.
2. Add the necessary headers, including the x-ms-date and x-ms-version.
Example Script:
JavaScript:
import http from 'k6/http';
import crypto from 'k6/crypto';
const accountName = 'your_storage_account_name';
const accountKey = 'your_account_key';
const containerName = 'your_container_name';
const blobName = 'your_blob_name';
export default function () {
const method = 'GET'; // Change to PUT, DELETE, etc., as needed
const resource = `/${accountName}/${containerName}/${blobName}`;
const url = `https://${accountName}.blob.core.windows.net/${containerName}/${blobName}`;
const date = new Date().toUTCString();
const version = '2021-12-02'; // Use the Azure Storage API version you're targeting
// String to sign
const stringToSign = `${method}\n\n\n\n\n\n\n\n\n\n\n\nx-ms-date:${date}\nx-ms-version:${version}\n${resource}`;
// Generate the signature
const signature = crypto.hmac('sha256', stringToSign, crypto.base64decode(accountKey), 'base64');
// Build the Authorization header
const authorizationHeader = `SharedKey ${accountName}:${signature}`;
// HTTP headers
const headers = {
'x-ms-date': date,
'x-ms-version': version,
'Authorization': authorizationHeader,
};
// Send the request
const res = http.get(url, { headers });
console.log(res.status, res.body);
}
---2. Azure Active Directory (AAD) Authentication
This is a more secure and modern authentication method. It uses OAuth 2.0 tokens acquired from Azure AD.
Steps:
1. Register an application in Azure AD and grant it appropriate permissions.
2. Obtain an OAuth 2.0 token using Azure AD's endpoint.
3. Include the Authorization: Bearer <token> header in your K6 script.
Example Script with AAD:
JavaScript:
import http from 'k6/http';
const tenantId = 'your_tenant_id';
const clientId = 'your_client_id';
const clientSecret = 'your_client_secret';
const accountName = 'your_storage_account_name';
const containerName = 'your_container_name';
const blobName = 'your_blob_name';
// Function to fetch an OAuth token
function getToken() {
const tokenEndpoint = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
const body = {
client_id: clientId,
client_secret: clientSecret,
scope: 'https://storage.azure.com/.default',
grant_type: 'client_credentials',
};
const headers = { 'Content-Type': 'application/x-www-form-urlencoded' };
const res = http.post(tokenEndpoint, body, { headers });
return JSON.parse(res.body).access_token;
}
export default function () {
const token = getToken(); // Fetch the token
const url = `https://${accountName}.blob.core.windows.net/${containerName}/${blobName}`;
const headers = {
Authorization: `Bearer ${token}`,
'x-ms-version': '2021-12-02', // Azure Storage API version
};
const res = http.get(url, { headers });
console.log(res.status, res.body);
}
---3. Shared Access Signature (SAS)
SAS tokens allow granular access to a resource (e.g., a specific blob or container) for a limited time.
Steps:
1. Generate a SAS token from the Azure portal or CLI.
2. Append the SAS token to the URL.
Example Script with SAS:
JavaScript:
import http from 'k6/http';
const accountName = 'your_storage_account_name';
const containerName = 'your_container_name';
const blobName = 'your_blob_name';
const sasToken = 'your_sas_token'; // SAS token generated via Azure
export default function () {
const url = `https://${accountName}.blob.core.windows.net/${containerName}/${blobName}?${sasToken}`;
const headers = { 'x-ms-version': '2021-12-02' };
const res = http.get(url, { headers });
console.log(res.status, res.body);
}
---4. Managed Identity (for Azure-hosted Environments)
If your K6 test runs in an Azure VM or Azure Function with a managed identity:
1. Use the identity to request an access token from Azure Instance Metadata Service (IMDS).
2. Use the token in the Authorization: Bearer <token> header.
---
Which Method Should You Use?
Development/Testing: Shared Key or SAS (easier to set up).
Production: Azure AD or Managed Identity for better security.