Skip to content

fix: Replace DefaultAzureCredential with ManagedIdentityCredential for production-safe authentication #1871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

fix: Replace DefaultAzureCredential with ManagedIdentityCredential for production-safe authentication #1871

wants to merge 3 commits into from

Conversation

Prasanjeet-Microsoft
Copy link
Contributor

Purpose

This pull request introduces a refactor to replace the usage of DefaultAzureCredential with a new helper function get_azure_credential, which dynamically selects the appropriate credential type based on the application environment (APP_ENV). Additionally, it includes minor fixes and adjustments to environment variable names. Below are the most important changes grouped by theme:

Credential Refactor:

  • code/backend/batch/utilities/helpers/azure_credential_utils.py: Added the get_azure_credential and get_azure_credential_async functions to dynamically select between DefaultAzureCredential and ManagedIdentityCredential based on the environment (APP_ENV).
  • Updated multiple files across the codebase to replace DefaultAzureCredential with get_azure_credential for consistent credential handling:

Environment Variable Updates:

  • .env.sample: Added APP_ENV to specify the application environment (e.g., dev, prod) for dynamic credential selection.
  • env_helper.py: Corrected a typo in the environment variable name from SEMENTIC_KERNEL_SYSTEM_PROMPT to SEMANTIC_KERNEL_SYSTEM_PROMPT.

These changes improve the flexibility and maintainability of credential management across the codebase while ensuring consistency in environment variable usage.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install

What to Check

Verify that the following are valid:

  • All usages of DefaultAzureCredential replaced
  • Authentication logic tested locally or in a dev environment
  • Regression tested (i.e., existing functionality relying on authentication continues to work)
  • Confirmed no hardcoded secrets or fallback dev credentials remain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Prasanjeet-Microsoft