Allow DAC to select specific credentials via AZURE_TOKEN_CREDENTIALS env var. (#45864)

g2vinay · web-flow · commit a8d22b890b0f · 2025-07-11T13:48:19.000-07:00
diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md
@@ -6,6 +6,7 @@
 ### Features Added
 
 - **Visual Studio Code Credential** has been re-enabled and now supports **broker authentication** using the Azure account signed in via Visual Studio Code. [#45715](https://github.com/Azure/azure-sdk-for-java/pull/45715)
+- `DefaultAzureCredential` can be configured to use a specific credential type by setting the `AZURE_TOKEN_CREDENTIALS` environment variable. When set, it will only attempt authentication using the specified credential type. For example, setting `AZURE_TOKEN_CREDENTIALS=WorkloadIdentityCredential` will restrict authentication to workload identity only.
 
 ### Breaking Changes
 
diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md
@@ -80,10 +80,11 @@ The underlying MSAL library, MSAL4J, also has detailed logging. It is highly ver
 
 ## Troubleshoot `DefaultAzureCredential` authentication issues
 
-| Error |Description| Mitigation                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Error | Description | Mitigation |
 |---|---|---|
-|`CredentialUnavailableException` raised with message. "DefaultAzureCredential failed to retrieve a token from the included credentials."|All credentials in the `DefaultAzureCredential` chain failed to retrieve a token, each throwing a `CredentialUnavailableException`| <ul><li>[Enable logging](#enable-and-configure-logging) to verify the credentials being tried, and get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li><li>[AzurePowershellCredential](#troubleshoot-azurepowershellcredential-authentication-issues)</li></ul> |
-|`HttpResponseException` raised from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Authenticate), or 403 (Forbidden) status code. This can often be caused by the `DefaultAzureCredential` authenticating an account other than the intended or that the intended account does not have the correct permissions or roles assigned.| <ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>In the case a credential other than the expected is returning a token, look too bypass this by signing out of the corresponding development tool.`</li><li>Ensure that the correct role is assigned to the account being used. For example, a service specific role rather than the subscription Owner role.</li></ul>                                                                                                                                                                                                                                                                                                                                                                         |
+| `CredentialUnavailableException` raised with message. "DefaultAzureCredential failed to retrieve a token from the included credentials." |All credentials in the `DefaultAzureCredential` chain failed to retrieve a token, each throwing a `CredentialUnavailableException`| <ul><li>[Enable logging](#enable-and-configure-logging) to verify the credentials being tried, and get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li><li>[AzurePowershellCredential](#troubleshoot-azurepowershellcredential-authentication-issues)</li></ul> |
+| `HttpResponseException` raised from the client with a status code of 401 or 403                                                          |Authentication succeeded but the authorizing Azure service responded with a 401 (Authenticate), or 403 (Forbidden) status code. This can often be caused by the `DefaultAzureCredential` authenticating an account other than the intended or that the intended account does not have the correct permissions or roles assigned.| <ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>In the case a credential other than the expected is returning a token, look too bypass this by signing out of the corresponding development tool.`</li><li>Ensure that the correct role is assigned to the account being used. For example, a service specific role rather than the subscription Owner role.</li></ul> |
+| `IllegalArgumentException` raised with message "Invalid value for AZURE_TOKEN_CREDENTIALS..."                                            | The value provided in env var `AZURE_TOKEN_CREDENTIALS` doesn't map to one of `prod`, `dev`, or a specific credential name such as `EnvironmentCredential`, `ManagedIdentityCredential`, etc. | Ensure you specify a valid value as per your application's requirements. Specifying `prod` activates production environment credentials (`EnvironmentCredential`, `WorkloadIdentityCredential`, and `ManagedIdentityCredential`). Specifying `dev` activates development tool credentials (`IntelliJCredential`, `AzureCliCredential`, `AzurePowershellCredential`, `AzureDeveloperCliCredential`, and `VisualStudioCodeCredential`). Specifying a specific credential name targets that individual credential only as part of `DefaultAzureCredential`. |
 
 ## Troubleshoot `EnvironmentCredential` authentication issues
 `CredentialUnavailableException`
diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/DefaultAzureCredentialBuilder.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/DefaultAzureCredentialBuilder.java
@@ -11,9 +11,10 @@
 import com.azure.identity.implementation.util.IdentityUtil;
 
 import java.time.Duration;
-import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 import java.util.Objects;
 import java.util.concurrent.ExecutorService;
 
@@ -272,44 +273,73 @@ private ArrayList<TokenCredential> getCredentialsChain() {
         Configuration configuration = identityClientOptions.getConfiguration() == null
             ? Configuration.getGlobalConfiguration().clone()
             : identityClientOptions.getConfiguration();
-        String selectedCredentials = configuration.get("AZURE_TOKEN_CREDENTIALS");
-        boolean useProductionCredentials = false;
-        boolean useDeveloperCredentials = false;
-        if (!CoreUtils.isNullOrEmpty(selectedCredentials)) {
-            selectedCredentials = selectedCredentials.trim();
-            if ("prod".equalsIgnoreCase(selectedCredentials)) {
-                useProductionCredentials = true;
-            } else if ("dev".equalsIgnoreCase(selectedCredentials)) {
-                useDeveloperCredentials = true;
+
+        String selectedCredential = configuration.get("AZURE_TOKEN_CREDENTIALS");
+        ArrayList<TokenCredential> credentials = new ArrayList<>(8);
+
+        if (!CoreUtils.isNullOrEmpty(selectedCredential)) {
+            selectedCredential = selectedCredential.trim().toLowerCase(Locale.ROOT);
+
+            // Use a map to associate credential names to their adders
+            java.util.Map<String, Runnable> credentialMap = new java.util.HashMap<>();
+            credentialMap.put("prod", () -> addProdCredentials(credentials));
+            credentialMap.put("dev", () -> addDevCredentials(credentials));
+            credentialMap.put("environmentcredential",
+                () -> credentials.add(new EnvironmentCredential(identityClientOptions.clone())));
+            credentialMap.put("workloadidentitycredential", () -> credentials.add(getWorkloadIdentityCredential()));
+            credentialMap.put("managedidentitycredential",
+                () -> credentials.add(new ManagedIdentityCredential(managedIdentityClientId, managedIdentityResourceId,
+                    null, identityClientOptions.clone())));
+            credentialMap.put("intellijcredential",
+                () -> credentials.add(new IntelliJCredential(tenantId, identityClientOptions.clone())));
+            credentialMap.put("azureclicredential",
+                () -> credentials.add(new AzureCliCredential(tenantId, identityClientOptions.clone())));
+            credentialMap.put("azurepowershellcredential",
+                () -> credentials.add(new AzurePowerShellCredential(tenantId, identityClientOptions.clone())));
+            credentialMap.put("azuredeveloperclicredential",
+                () -> credentials.add(new AzureDeveloperCliCredential(tenantId, identityClientOptions.clone())));
+            credentialMap.put("visualstudiocodecredential",
+                () -> credentials.add(new VisualStudioCodeCredential(tenantId, identityClientOptions.clone())));
+
+            Runnable adder = credentialMap.get(selectedCredential);
+            if (adder != null) {
+                adder.run();
+                return credentials;
             } else {
-                throw LOGGER.logExceptionAsError(new IllegalArgumentException(
-                    "Invalid value for AZURE_TOKEN_CREDENTIALS. Valid values are 'prod' or 'dev'."));
+                throw LOGGER
+                    .logExceptionAsError(new IllegalArgumentException("Invalid value for AZURE_TOKEN_CREDENTIALS: '"
+                        + selectedCredential + "'. " + "Valid values are: 'prod', 'dev', or one of "
+                        + "[EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, "
+                        + "IntelliJCredential, AzureCliCredential, AzurePowerShellCredential, "
+                        + "AzureDeveloperCliCredential, VisualStudioCodeCredential] (case-insensitive). "
+                        + "To mitigate this issue, please refer to the troubleshooting guidelines here at "
+                        + "https://aka.ms/azure-identity-java-default-azure-credential-troubleshoot"));
             }
         }
-        if (!useProductionCredentials && !useDeveloperCredentials) {
-            useProductionCredentials = true;
-            useDeveloperCredentials = true;
-        }
 
-        ArrayList<TokenCredential> output = new ArrayList<TokenCredential>(7);
-        if (useProductionCredentials) {
-            output.add(new EnvironmentCredential(identityClientOptions.clone()));
-            output.add(getWorkloadIdentityCredential());
-            output.add(new ManagedIdentityCredential(managedIdentityClientId, managedIdentityResourceId, null,
-                identityClientOptions.clone()));
-        }
+        // Default case: full chain (prod + dev)
+        addProdCredentials(credentials);
+        addDevCredentials(credentials);
+        return credentials;
+    }
 
-        if (useDeveloperCredentials) {
-            output.add(new IntelliJCredential(tenantId, identityClientOptions.clone()));
-            output.add(new AzureCliCredential(tenantId, identityClientOptions.clone()));
-            output.add(new AzurePowerShellCredential(tenantId, identityClientOptions.clone()));
-            output.add(new AzureDeveloperCliCredential(tenantId, identityClientOptions.clone()));
-            if (IdentityUtil.isVsCodeBrokerAuthAvailable()) {
-                output.add(new VisualStudioCodeCredential(tenantId, identityClientOptions.clone()));
-            }
-        }
+    // Helper to add prod credentials
+    private void addProdCredentials(List<TokenCredential> credentials) {
+        credentials.add(new EnvironmentCredential(identityClientOptions.clone()));
+        credentials.add(getWorkloadIdentityCredential());
+        credentials.add(new ManagedIdentityCredential(managedIdentityClientId, managedIdentityResourceId, null,
+            identityClientOptions.clone()));
+    }
 
-        return output;
+    // Helper to add dev credentials
+    private void addDevCredentials(List<TokenCredential> credentials) {
+        credentials.add(new IntelliJCredential(tenantId, identityClientOptions.clone()));
+        credentials.add(new AzureCliCredential(tenantId, identityClientOptions.clone()));
+        credentials.add(new AzurePowerShellCredential(tenantId, identityClientOptions.clone()));
+        credentials.add(new AzureDeveloperCliCredential(tenantId, identityClientOptions.clone()));
+        if (IdentityUtil.isVsCodeBrokerAuthAvailable()) {
+            credentials.add(new VisualStudioCodeCredential(tenantId, identityClientOptions.clone()));
+        }
     }
 
     private WorkloadIdentityCredential getWorkloadIdentityCredential() {
diff --git a/sdk/identity/azure-identity/src/test/java/com/azure/identity/DefaultAzureCredentialTest.java b/sdk/identity/azure-identity/src/test/java/com/azure/identity/DefaultAzureCredentialTest.java
@@ -27,6 +27,7 @@
 import java.time.ZoneOffset;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 import java.util.UUID;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -667,6 +668,81 @@ public void testDeveloperOnlyCredentialsChain(String devValue) {
         assertInstanceOf(AzureDeveloperCliCredential.class, credentials.get(3));
     }
 
+    @ParameterizedTest
+    @ValueSource(
+        strings = {
+            "AzureCliCredential",
+            "azureclicredential",
+            "AZURECLICREDENTIAL",
+            "IntelliJCredential",
+            "intellijcredential",
+            "AzurePowerShellCredential",
+            "azurepowershellcredential",
+            "AzureDeveloperCliCredential",
+            "azuredeveloperclicredential",
+            "EnvironmentCredential",
+            "environmentcredential",
+            "WorkloadIdentityCredential",
+            "workloadidentitycredential",
+            "ManagedIdentityCredential",
+            "managedidentitycredential",
+            "VisualStudioCodeCredential",
+            "visualstudiocodecredential" })
+    public void testTargetedCredentialSelection(String credentialValue) {
+        // Setup config with targeted credential value (case-insensitive)
+        TestConfigurationSource configSource
+            = new TestConfigurationSource().put("AZURE_TOKEN_CREDENTIALS", credentialValue);
+        Configuration configuration = TestUtils.createTestConfiguration(configSource);
+
+        // Build the credential with the test configuration
+        DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().configuration(configuration).build();
+        List<TokenCredential> credentials = extractCredentials(credential);
+
+        // Should contain exactly one credential
+        assertEquals(1, credentials.size());
+
+        // Assert that the only credential matches expected type
+        Class<? extends TokenCredential> expectedType;
+        switch (credentialValue.toLowerCase(Locale.ROOT)) {
+            case "azureclicredential":
+                expectedType = AzureCliCredential.class;
+                break;
+
+            case "intellijcredential":
+                expectedType = IntelliJCredential.class;
+                break;
+
+            case "azurepowershellcredential":
+                expectedType = AzurePowerShellCredential.class;
+                break;
+
+            case "azuredeveloperclicredential":
+                expectedType = AzureDeveloperCliCredential.class;
+                break;
+
+            case "environmentcredential":
+                expectedType = EnvironmentCredential.class;
+                break;
+
+            case "workloadidentitycredential":
+                expectedType = WorkloadIdentityCredential.class;
+                break;
+
+            case "managedidentitycredential":
+                expectedType = ManagedIdentityCredential.class;
+                break;
+
+            case "visualstudiocodecredential":
+                expectedType = VisualStudioCodeCredential.class;
+                break;
+
+            default:
+                throw new IllegalArgumentException("Unsupported test value: " + credentialValue);
+        }
+
+        assertInstanceOf(expectedType, credentials.get(0));
+    }
+
     @ParameterizedTest
     @ValueSource(strings = { "invalid", "PRODUCTION", "DEVELOPER", "both", "p r o d", "d e v" })
     public void testInvalidCredentialsConfiguration(String configValue) {
