new provider option: useDefaultAzureCredential#4174
Conversation
Does the PR have any schema changes?Looking good! No breaking changes found. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for using Azure's DefaultAzureCredential authentication strategy in the Azure Native provider. This simplifies authentication by combining credentials used in Azure hosting environments with those used in local development through a standardized credential chain.
Key changes:
- Added a new
useDefaultAzureCredentialconfiguration option that enables the default Azure credential chain - Integrated the default credential as the first authentication method in the credential chain (before existing methods)
- Added comprehensive test coverage for the new authentication method
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| provider/pkg/provider/auth_azidentity.go | Core implementation of the default Azure credential authentication method and configuration |
| provider/pkg/gen/schema.go | Schema definition for the new useDefaultAzureCredential provider option |
| provider/pkg/provider/auth_azidentity_test.go | Unit test for the default Azure credential functionality |
| provider/pkg/provider/provider_e2e_test.go | End-to-end test validating the default credential behavior in CI environment |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
EronWright
force-pushed
the
issue-4223
branch
2 times, most recently
from
2f05533 to
779ec3c
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4174 +/- ##
==========================================
+ Coverage 58.79% 59.66% +0.86%
==========================================
Files 84 86 +2
Lines 13582 13939 +357
==========================================
+ Hits 7986 8317 +331
+ Misses 4989 4974 -15
- Partials 607 648 +41 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
mjeffryes
left a comment
mjeffryes
left a comment
There was a problem hiding this comment.
This looks fairly safe to add and correct AFAICT. Might be nice to try to test more of the different auth configurations supported by identity default credential
|
|
||
| "useDefaultAzureCredential": { | ||
| TypeSpec: pschema.TypeSpec{Type: "boolean"}, | ||
| Description: "Use the default credential chain of the Azure SDK (see https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/credential-chains#defaultazurecredential-overview).", |
There was a problem hiding this comment.
I wonder if we shouldn't have a doc of our own to point at that explains how this strategy layers in with our other auth strategies. (IIUC, the existing strategies try to mimic the TF provider env variables, while this new strategy will respect the AZURE_* env variables used by the azure cli. But I imagine there's a lot more nuance involved.)
There was a problem hiding this comment.
In the PR description, I captured how the provider specifically uses the DefaultAzureCredential, and the upstream documentation is very good and detailed.
You are correct that the provider configures itself with ARM_ variables, as does azure-classic provider. The relevant options here are ARM_SUBSCRIPTION_ID, ARM_ENVIRONMENT, and ARM_USE_DEFAULT_AZURE_CREDENTIAL.
To minimize interplay with the other strategies, we check for ARM_USE_DEFAULT_AZURE_CREDENTIAL before using any heuristics like checking for ARM_CLIENT_ID to activate Service Principal authentication.
There was a problem hiding this comment.
To improve the documentation, I will open a PR to add a section:
https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#authentication-methods
| // the next method. | ||
| // - Auxiliary or additional tenants are supported for SP with client secret and CLI authentication, not for others. | ||
| func newSingleMethodAuthCredential(authConf *authConfiguration, baseClientOpts azcore.ClientOptions) (azcore.TokenCredential, error) { | ||
| if authConf.useDefault { |
There was a problem hiding this comment.
Would we ever want to enable this by default (say in a future major version)? It seems like it's designed to support a set of auth strategies that overlap with existing strategies for this provider.
There was a problem hiding this comment.
Yes, I do think it would be an ideal default for the true default provider instance. The DefaultAzureCredential is 100% about getting your identity from the ambient environment, so it wouldn't make much sense to use with an explicit provider.
|
This PR has been shipped in release v3.8.0. |
3 similar comments
|
This PR has been shipped in release v3.8.0. |
|
This PR has been shipped in release v3.8.0. |
|
This PR has been shipped in release v3.8.0. |
This PR enables the "Default Credential Chain" feature of the Azure SDK for Go:
This feature is enabled with a new provider option,
useDefaultAzureCredentialand the environment variableARM_USE_DEFAULT_AZURE_CREDENTIAL. When enabled, the provider looks forAZURE_*environment variables, then a Azure workload or managed identity, then an active CLI account.Customization
Set the Azure environment
To configure the active Azure environment, set the provider option
environmentor the environment variableARM_ENVIRONMENTorAZURE_ENVIRONMENTtopublic,usgov, orchina.Exclude a credential type category
To exclude all "Developer tool" or "Deployed service" credentials, set environment variable
AZURE_TOKEN_CREDENTIALStoprodordev, respectively.Use a specific credential
To exclude all credentials except for one, set environment variable
AZURE_TOKEN_CREDENTIALSto one of:AzureCLICredentialAzureDeveloperCLICredentialEnvironmentCredentialManagedIdentityCredentialWorkloadIdentityCredentialTesting
Manual Setup
Closes #4172