Skip to content

Commit 05cce1c

Browse files
DavidZidarDavidZidar
committed
Detect system-assigned managed identities in AzureCredentialHelper
When system-assigned managed identities are enabled the IDENTITY_ENDPOINT and IDENTITY_HEADER environment variables are defined. It should be enough to detect the endpoint variable for this purpose. AZURE_CLIENT_ID is still used by user-managed identities. Reference: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference
1 parent ec8bbdf commit 05cce1c

1 file changed

Lines changed: 14 additions & 5 deletions

File tree

src/Shared/AzureCredentialHelper.cs

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,22 @@ internal static TokenCredential CreateDefaultAzureCredential()
1818
return new DefaultAzureCredential(DefaultAzureCredential.DefaultEnvironmentVariableName);
1919
}
2020

21-
if (Environment.GetEnvironmentVariable("AZURE_CLIENT_ID") is not null)
21+
var azureClientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID");
22+
var identityEndpoint = Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
23+
24+
if (!string.IsNullOrWhiteSpace(azureClientId) || !string.IsNullOrWhiteSpace(identityEndpoint))
2225
{
23-
// When we don't see DefaultEnvironmentVariableName, but we do see AZURE_CLIENT_ID,
24-
// we just use ManagedIdentityCredential because that's the only credential type that
25-
// Aspire Hosting enables by default.
26+
// When we don't see DefaultEnvironmentVariableName, but we do see AZURE_CLIENT_ID
27+
// for a user-assigned managed identity or IDENTITY_ENDPOINT for a system-assigned
28+
// managed identity, we use ManagedIdentityCredential because that's the only
29+
// credential type that Aspire Hosting enables by default.
2630
// If this doesn't work for applications, they can override the TokenCredential in their settings.
27-
return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions());
31+
32+
var managedIdentityId = !string.IsNullOrWhiteSpace(azureClientId)
33+
? ManagedIdentityId.FromUserAssignedClientId(azureClientId)
34+
: ManagedIdentityId.SystemAssigned;
35+
36+
return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions(managedIdentityId));
2837
}
2938

3039
// when we can't detect a known Azure environment, fall back to the development credential

0 commit comments

Comments
 (0)