azure-sdk-for-net icon indicating copy to clipboard operation
azure-sdk-for-net copied to clipboard

Published 20 hours ago verified publisher icon Azure

[FEATURE REQ] Allow Microsoft.Extensions.Azure to select more TokenCredentials

Open mattchenderson opened this issue 10 months ago • 5 comments
trafficstars

Library name

Microsoft.Extensions.Azure

Please describe the feature.

Problem statement

Some users encounter issues when running in environments where there is a mix of identities, and DefaultAzureCredential probing creates a surprise. For example:

  • Visual Studio run within an Azure Virtual Machine - the managed identity of the machine is picked up instead of the expected developer identity associated with Visual Studio.
  • Test project runs within an ADO pipeline - the managed identity of the machine running the pipeline step is picked up instead of the expected service connection associated to the pipeline.

When setting up DefaultAzureCredential imperatively, we can use DefaultAzureCredentialOptions.ExcludeManagedIdentityCredential, but this is not available when only using the configuration-based approach. This notably occurs when configuring Azure Functions triggers and bindings through the WebJobs extensions found in this repo.

Proposed feature

One of the simplest options is probably to leverage the behavior already in place to use configuration to select between a few TokenCredential options in Microsoft.Extensions.Azure. For example, the credential property can be set to "managedidentity" to shift the behavior from DefaultAzureCredential to ManagedIdentityCredential:

https://github.com/Azure/azure-sdk-for-net/blob/6d8cf4aa1d111232dfcf07f00ca753c0bda72b61/sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs#L116

There is also a variant for WorkloadIdentityCredential. The proposal would be to introduce additional options:

credential value TokenCrednetial implementation
"visualstudio" VisualStudioCredential
"azurecli" AzureCliCredential

There may be other TokenCredentials of interest as well, but these would help with the scenarios where I've been encountering more issues with Functions customers.

AzureCliCredential is specifically included based on patterns I've seen for ADO pipelines. Users will perform a CLI login through the service connection and then leverage AzureCliCredential (from code where they had imperative options), which has a simple setup process from within code. That of course can also be leveraged even through DefaultAzureCredential if ExcludeManagedIdentityCredential is set. This seems to be preferable to setting up AzurePipelinesCredential in many cases, especially when you still want to leverage flexibility of local development workflows offered by DefaultAzureCredential.

Alternatives considered

In some ways it might be simpler to introduce a new configuration option to represent ExcludeManagedIdentityCredential. However, I don't think we want to map that through for all of the Exclude* options. Leveraging the existing credential property feels like a more bounded scope.

It may also make sense to set up an AzurePipelinesCredential option, but I see its constructor takes a few additional properties beyond clientId and tenantId, which are already defined. I don't know how cleanly those can be mapped into configuration. In particular systemAccessToken gives me pause. It looks like that might have a defined environment variable that should be used already, but samples show that being captured in user code and passed into the constructor. This would need evaluation by someone before being undertaken.

mattchenderson avatar Jan 22 '25 01:01 mattchenderson

Thank you for your feedback. Tagging and routing to the team member best able to assist.

github-actions[bot] avatar Jan 22 '25 01:01 github-actions[bot]

Hi @mattchenderson: Enabling he full set of credentials with the current extensions packages is not a direction that we're open to. These were designed with a couple of specific production scenarios in mind and take a very basic approach to doing so. The more credentials are added, the more loose properties are supported without any structure of discoverability for which work with what credential. We'll be working to redesign our integration points with configuration and dependency injection in the future. I'll move this to the backlog so that we can take this scenario into account when we start looking to design vNext.

jsquire avatar Jan 23 '25 17:01 jsquire

Ack - thanks @jsquire! Glad to share more on these as needed.

mattchenderson avatar Jan 28 '25 17:01 mattchenderson

@mattchenderson FYI, AzurePipelinesCredential support is available in Microsoft.Extensions.Azure as of v1.11.0. See https://learn.microsoft.com/dotnet/azure/sdk/authentication/create-token-credentials-from-configuration?tabs=client-id#create-an-instance-of-azurepipelinescredential. Does this new credential solve your problem for now? I see it listed in the "Alternatives considered" section of your description.

scottaddie avatar Mar 24 '25 21:03 scottaddie

I think that will work for the ADO testing scenarios! Teams would be able to just set those env vars for the pipeline steps, and that would be much cleaner than current approaches to work things through the CLI. We have an example of this in the Functions host CI, and I'll work with my team to try this out there.

mattchenderson avatar Mar 28 '25 18:03 mattchenderson

Outside of critical fixes, no further investments are being made in the Extensions package going forward. Work is in progress to provide native integration with the DI + Config + Options ecosystem as part of https://github.com/Azure/azure-sdk-for-net/issues/46671. Closing this out.

jsquire avatar Oct 08 '25 22:10 jsquire