fix(azure auth): Restore non-connection string auth

[rjancewicz]

Summary

Restore and harden non-connection_string authentication for the azure_blob sink while preserving the new Azure SDK migration path.

This PR:

• Adds storage_account-based auth support back alongside connection_string.
• Adds auth strategies for storage_account mode: default, environment, managed_identity, azure_cli, and workload_identity.
• Keeps the default chain behavior (environment including workload identity -> managed identity -> Azure CLI) when auth is unset.
• Keeps connection_string behavior unchanged and enforces that exactly one of connection_string or storage_account must be set.
• Adds validation and regression tests for auth/config edge cases.

Vector configuration

1) Connection string (existing behavior)

[sources.in]
type = "demo_logs"
format = "json"

[sinks.azure_blob_out]
type = "azure_blob"
inputs = ["in"]
connection_string = "${AZURE_STORAGE_CONNECTION_STRING}"
container_name = "logs"

2) Storage account with default chain (AKS workload identity auto-detected if env is present)

[sources.in]
type = "demo_logs"
format = "json"

[sinks.azure_blob_out]
type = "azure_blob"
inputs = ["in"]
storage_account = "myaccount"
container_name = "logs"

auth omitted -> default chain:
environment (incl workload identity) -> managed identity -> Azure CLI

3) Storage account with explicit workload identity

[sources.in]
type = "demo_logs"
format = "json"

[sinks.azure_blob_out]
type = "azure_blob"
inputs = ["in"]
storage_account = "myaccount"
container_name = "logs"

[sinks.azure_blob_out.auth]
strategy = "workload_identity"
tenant_id = "${AZURE_TENANT_ID}"
client_id = "${AZURE_CLIENT_ID}"
token_file = "${AZURE_FEDERATED_TOKEN_FILE}"

How did you test this PR?

• Unit tests for env/default auth resolution logic:
  - cargo test -p vector --lib azure_common::config::tests -- --nocapture
  • Azure Blob sink tests (including Azurite integration tests):
    • AZURE_ADDRESS=localhost cargo test -p vector --lib --features azure-blob-integration-tests azure_blob_ -- --nocapture
  • Test setup:
    • Azurite container running locally on localhost:10000 (blob endpoint).
  • Result:
    • 14 passed, 0 failed, 2 ignored in the Azure Blob test suite.
  • New auth/config validation coverage includes:
    • Reject both connection_string and storage_account together.
    • Reject missing both connection_string and storage_account.
    • Reject invalid endpoint URL in storage_account mode.

Change Type

• Bug fix
• New feature
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

• Related: #25187
• Related: #25256

Notes

• This PR keeps the migrated Azure SDK client path intact (azure_core + azure_storage_blob) and does not reintroduce legacy SDK APIs.
• Cargo.lock changed due Azure identity dependency usage under the Azure Blob sink feature.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[rjancewicz]

I have read the CLA Document and I hereby sign the CLA