Skip to content

[FEATURE REQ] Support object ID for ManagedIdentityCredential in AzureComponentFactory #45661

New issue
New issue
Closed
#46909
Closed
[FEATURE REQ] Support object ID for ManagedIdentityCredential in AzureComponentFactory#45661
#46909
Assignees
christothes
Labels
Azure.IdentityClientThis issue is related to a non-management packageExtensionsASP.NET Core extensionsfeature-requestThis issue requires a new behavior in the product in order be resolved.
Milestone
2024-11
@scottaddie

Description

@scottaddie
scottaddie
opened on Aug 23, 2024

Library name

Microsoft.Extensions.Azure

Please describe the feature.

The Azure Identity library's ManagedIdentityCredential is being enhanced to support object ID for user-assigned managed identity. See #45605. Object ID is an alternative to using client ID or resource ID. With regards to ManagedIdentityCredential, we should have feature parity between Azure.Identity and Microsoft.Extensions.Azure. It would involve updating this code:

azure-sdk-for-net/sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs

Lines 115 to 128 in 91dc3f1

if (string.Equals(credentialType, "managedidentity", StringComparison.OrdinalIgnoreCase))
{
if (!string.IsNullOrWhiteSpace(clientId) && !string.IsNullOrWhiteSpace(resourceId))
{
throw new ArgumentException("Cannot specify both 'clientId' and 'managedIdentityResourceId'");
}
if (!string.IsNullOrWhiteSpace(resourceId))
{
return new ManagedIdentityCredential(new ResourceIdentifier(resourceId));
}
return new ManagedIdentityCredential(clientId);
}

From a customer's perspective, they should be able to provide configuration like the following:

{
    "credential": "managedidentity",
    "managedIdentityObjectId":  "<managedIdentityObjectId>"
}

Since we don't support object ID via DefaultAzureCredential, the following code flow is unaffected:

azure-sdk-for-net/sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs

Lines 218 to 249 in 91dc3f1

if (additionallyAllowedTenantsList != null
|| !string.IsNullOrWhiteSpace(tenantId)
|| !string.IsNullOrWhiteSpace(clientId)
|| !string.IsNullOrWhiteSpace(resourceId))
{
var options = new DefaultAzureCredentialOptions();
if (additionallyAllowedTenantsList != null)
{
foreach (string tenant in additionallyAllowedTenantsList)
{
options.AdditionallyAllowedTenants.Add(tenant);
}
}
if (!string.IsNullOrWhiteSpace(tenantId))
{
options.TenantId = tenantId;
}
if (!string.IsNullOrWhiteSpace(clientId))
{
options.ManagedIdentityClientId = clientId;
}
// validation that both clientId and ResourceId are not set happens in Azure.Identity
if (!string.IsNullOrWhiteSpace(resourceId))
{
options.ManagedIdentityResourceId = new ResourceIdentifier(resourceId);
}
return new DefaultAzureCredential(options);
}

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue is related to a non-management packageExtensionsASP.NET Core extensionsfeature-requestThis issue requires a new behavior in the product in order be resolved.

Type

No type

Projects

Azure Identity SDK Improvements

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions