Replace DefaultAzureCredential with DeveloperToolsCredential (#2873)

DeveloperToolsCredential is effectively the DefaultAzureCredential from
other SDKs, configured for dev mode. It's designed to simplify getting
started with the SDK, for example by copying sample code. It only
supports authenticating via dev tools such as `az` and `azd`, and its
behavior isn't configurable. Developers who want to set additional
options for its constituent types or change their order can instead use
them directly.

Similarly to DefaultAzureCredential, DeveloperToolsCredential requests a
token from each dev tool in turn, stopping when one provides a token.
After receiving a token from some tool, a DeveloperToolsCredential
instance uses that tool exclusively; it never tries the others again.

There are a couple big reasons for removing DefaultAzureCredential
instead of implementing it as in other SDKs:

- **Default**AzureCredential implies it's always a good choice, if not
the only choice, when in fact it's typically better to use a more
specific type
- trying a sequence of credentials introduces uncertainty and can be
dangerous (see #2283 and [guidance for other
SDKs](https://aka.ms/azsdk/net/identity/credential-chains#usage-guidance-for-defaultazurecredential))

---------

Co-authored-by: Heath Stewart <[email protected]>

Author: chlowell

sdk/core/azure_core/README.md

@@ -72,12 +72,12 @@ available directly on `ClientOptions`.
 
 ```rust no_run
 use azure_core::http::ClientOptions;
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_secrets::{SecretClient, SecretClientOptions};
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
 
     let options = SecretClientOptions {
         api_version: "7.5".to_string(),
@@ -102,13 +102,13 @@ This type provides access to both the deserialized result of the service call, a
 
 ```rust no_run
 use azure_core::http::Response;
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_secrets::{models::Secret, SecretClient};
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     // create a client
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let client = SecretClient::new(
         "https://<your-key-vault-name>.vault.azure.net/",
         credential.clone(),
@@ -146,13 +146,13 @@ When a service call fails, the returned `Result` will contain an `Error`. The `E
 
 ```rust no_run
 use azure_core::{error::{ErrorKind, HttpError}, http::{Response, StatusCode}};
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_secrets::SecretClient;
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     // create a client
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let client = SecretClient::new(
         "https://<your-key-vault-name>.vault.azure.net/",
         credential.clone(),
@@ -183,14 +183,14 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 If a service call returns multiple values in pages, it should return `Result<Pager<T>>` as a result. You can iterate all items from all pages.
 
 ```rust no_run
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_secrets::{ResourceExt, SecretClient};
 use futures::TryStreamExt;
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     // create a client
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let client = SecretClient::new(
         "https://<your-key-vault-name>.vault.azure.net/",
         credential.clone(),
@@ -214,14 +214,14 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 To instead iterate over all pages, call `into_pages()` on the returned `Pager`.
 
 ```rust no_run
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_secrets::{ResourceExt, SecretClient};
 use futures::TryStreamExt;
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     // create a client
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let client = SecretClient::new(
         "https://<your-key-vault-name>.vault.azure.net/",
         credential.clone(),
@@ -252,7 +252,7 @@ If a service call may take a while to process, it should return `Result<Poller<T
 The `Poller<T>` implements `futures::Stream` so you can asynchronously iterate over each status monitor update:
 
 ```rust no_run
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_certificates::{
     CertificateClient,
     models::{CreateCertificateParameters, CertificatePolicy, X509CertificateProperties, IssuerParameters},
@@ -261,7 +261,7 @@ use futures::stream::TryStreamExt as _;
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let client = CertificateClient::new(
         "https://your-key-vault-name.vault.azure.net/",
         credential.clone(),
@@ -308,15 +308,15 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 If you just want to wait until the `Poller<T>` is complete and get the last status monitor, you can await `wait()`:
 
 ```rust no_run
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_certificates::{
     CertificateClient,
     models::{CreateCertificateParameters, CertificatePolicy, X509CertificateProperties, IssuerParameters},
 };
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let client = CertificateClient::new(
         "https://your-key-vault-name.vault.azure.net/",
         credential.clone(),
@@ -398,13 +398,13 @@ There can only be one async runtime set in a given process, so attempts to set t
 To help protected end users from accidental Personally-Identifiable Information (PII) from leaking into logs or traces, models' default implementation of `core::fmt::Debug` formats as non-exhaustive structure tuple e.g.,
 
 ```rust no_run
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_secrets::{ResourceExt, SecretClient};
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     // create a client
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let client = SecretClient::new(
         "https://<your-key-vault-name>.vault.azure.net/",
         credential.clone(),

sdk/core/azure_core/src/http/pager.rs

@@ -518,13 +518,13 @@ impl<P> PageIterator<P> {
     /// that, when first iterated, will get the next page of results.
     ///
     /// ``` no_run
-    /// use azure_identity::DefaultAzureCredential;
+    /// use azure_identity::DeveloperToolsCredential;
     /// use azure_security_keyvault_secrets::SecretClient;
     /// use futures::stream::TryStreamExt as _;
     ///
     /// # #[tokio::main]
     /// # async fn main() -> azure_core::Result<()> {
-    /// let client = SecretClient::new("https://my-vault.vault.azure.net", DefaultAzureCredential::new()?, None)?;
+    /// let client = SecretClient::new("https://my-vault.vault.azure.net", DeveloperToolsCredential::new(None)?, None)?;
     ///
     /// // Advance first pager to first page.
     /// let mut pager = client.list_secret_properties(None)?

sdk/core/azure_core_opentelemetry/README.md

@@ -11,7 +11,7 @@ It allows Rust applications which use the [OpenTelemetry](https://opentelemetry.
 To integrate the OpenTelemetry APIs with the Azure SDK for Rust, you create a `OpenTelemetryTracerProvider` and pass it into your SDK ClientOptions.
 
 ```rust no_run
-# use azure_identity::DefaultAzureCredential;
+# use azure_identity::DeveloperToolsCredential;
 # use azure_core::{http::{ClientOptions, RequestInstrumentationOptions}};
 # #[derive(Default)]
 # struct ServiceClientOptions {
@@ -44,7 +44,7 @@ let options = ServiceClientOptions {
 If it is more convenient to use the global OpenTelemetry provider, then the `OpenTelemetryTracerProvider::new_from_global_provider` method will configure the OpenTelemetry support to use the global provider instead of a custom configured provider.
 
 ```rust no_run
-# use azure_identity::DefaultAzureCredential;
+# use azure_identity::DeveloperToolsCredential;
 # use azure_core::{http::{ClientOptions, RequestInstrumentationOptions}};
 
 # #[derive(Default)]

sdk/core/azure_core_test/src/credentials.rs

@@ -6,7 +6,11 @@ use azure_core::{
     credentials::{AccessToken, Secret, TokenCredential, TokenRequestOptions},
     time::{Duration, OffsetDateTime},
 };
-use azure_identity::{AzurePipelinesCredential, DefaultAzureCredential, TokenCredentialOptions};
+#[cfg(target_arch = "wasm32")]
+use azure_core::{error::ErrorKind, Error};
+#[cfg(not(target_arch = "wasm32"))]
+use azure_identity::DeveloperToolsCredential;
+use azure_identity::{AzurePipelinesCredential, TokenCredentialOptions};
 use std::{env, sync::Arc};
 
 /// A mock [`TokenCredential`] useful for testing.
@@ -38,7 +42,7 @@ impl TokenCredential for MockCredential {
 /// Gets a `TokenCredential` appropriate for the current environment.
 ///
 /// When running in Azure Pipelines, this will return an [`AzurePipelinesCredential`];
-/// otherwise, it will return a [`DefaultAzureCredential`].
+/// otherwise, it will return a [`DeveloperToolsCredential`].
 pub fn from_env(
     options: Option<TokenCredentialOptions>,
 ) -> azure_core::Result<Arc<dyn TokenCredential>> {
@@ -65,9 +69,13 @@ pub fn from_env(
             )? as Arc<dyn TokenCredential>);
         }
     }
-
-    Ok(
-        DefaultAzureCredential::with_options(options.unwrap_or_default())?
-            as Arc<dyn TokenCredential>,
-    )
+    #[cfg(target_arch = "wasm32")]
+    {
+        Err(Error::message(
+            ErrorKind::Other,
+            "No local development credential for WASM.",
+        ))
+    }
+    #[cfg(not(target_arch = "wasm32"))]
+    Ok(DeveloperToolsCredential::new(None)? as Arc<dyn TokenCredential>)
 }

sdk/core/azure_core_test/src/http/clients.rs

@@ -19,7 +19,7 @@ use std::fmt;
 ///     Bytes,
 /// };
 /// use azure_core_test::http::MockHttpClient;
-/// use azure_identity::DefaultAzureCredential;
+/// use azure_identity::DeveloperToolsCredential;
 /// use azure_security_keyvault_secrets::{SecretClient, SecretClientOptions};
 /// use futures::FutureExt as _;
 /// use std::sync::Arc;
@@ -34,7 +34,7 @@ use std::fmt;
 ///         Bytes::from_static(br#"{"value":"secret"}"#),
 ///     ))
 /// }.boxed()));
-/// let credential = DefaultAzureCredential::new()?;
+/// let credential = DeveloperToolsCredential::new(None)?;
 /// let options = SecretClientOptions {
 ///     client_options: ClientOptions {
 ///         transport: Some(TransportOptions::new(mock_client.clone())),

sdk/core/azure_core_test/src/recording.rs

@@ -88,7 +88,7 @@ impl Recording {
         match self.test_mode {
             TestMode::Playback => Arc::new(MockCredential) as Arc<dyn TokenCredential>,
             _ => credentials::from_env(None).map_or_else(
-                |err| panic!("failed to create DefaultAzureCredential: {err}"),
+                |err| panic!("failed to create DeveloperToolsCredential: {err}"),
                 |cred| cred as Arc<dyn TokenCredential>,
             ),
         }

sdk/cosmos/azure_data_cosmos/README.md

@@ -46,22 +46,22 @@ In order to interact with the Azure Cosmos DB service, you'll need to create an
 
 **Using Microsoft Entra ID**
 
-The example shown below use a `DefaultAzureCredential`, which is appropriate for most local development environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the [Azure Identity] documentation.
+The example shown below use a `DeveloperToolsCredential`, which is appropriate for most local development environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the [Azure Identity] documentation.
 
-The `DefaultAzureCredential` will automatically pick up on an Azure CLI authentication. Ensure you are logged in with the Azure CLI:
+The `DeveloperToolsCredential` will automatically pick up on an Azure CLI authentication. Ensure you are logged in with the Azure CLI:
 
 ```sh
 az login
 ```
 
-Instantiate a `DefaultAzureCredential` to pass to the client. The same instance of a token credential can be used with multiple clients if they will be authenticating with the same identity.
+Instantiate a `DeveloperToolsCredential` to pass to the client. The same instance of a token credential can be used with multiple clients if they will be authenticating with the same identity.
 
 ```rust
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_data_cosmos::CosmosClient;
 
 async fn example() -> Result<(), Box<dyn std::error::Error>> {
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
     let cosmos_client = CosmosClient::new("myAccountEndpointURL", credential.clone(), None)?;
     Ok(())
 }

sdk/cosmos/azure_data_cosmos/examples/cosmos/main.rs

@@ -2,7 +2,7 @@
 // Licensed under the MIT License.
 
 use azure_data_cosmos::CosmosClient;
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use clap::{Args, CommandFactory, Parser, Subcommand};
 use std::error::Error;
 
@@ -94,7 +94,7 @@ fn create_client(args: &SharedArgs) -> Result<CosmosClient, Box<dyn Error>> {
             Err("cannot authenticate with a key unless the 'key_auth' feature is enabled".into())
         }
     } else {
-        let cred = DefaultAzureCredential::new().unwrap();
+        let cred = DeveloperToolsCredential::new(None).unwrap();
         Ok(CosmosClient::new(&args.endpoint, cred, None)?)
     }
 }

sdk/cosmos/azure_data_cosmos/src/clients/cosmos_client.rs

@@ -44,7 +44,7 @@ impl CosmosClient {
     /// # use std::sync::Arc;
     /// use azure_data_cosmos::CosmosClient;
     ///
-    /// let credential = azure_identity::DefaultAzureCredential::new().unwrap();
+    /// let credential = azure_identity::DeveloperToolsCredential::new(None).unwrap();
     /// let client = CosmosClient::new("https://myaccount.documents.azure.com/", credential, None).unwrap();
     /// ```
     pub fn new(

sdk/eventhubs/azure_messaging_eventhubs/README.md

@@ -52,20 +52,20 @@ cargo add azure_identity tokio
 
 In order to interact with the Azure Event Hubs service, you'll need to create an instance of the `ProducerClient` or the `ConsumerClient`. You need an **event hub namespace host URL** (which you may see as `serviceBusEndpoint` in the Azure CLI response when creating the Even Hubs Namespace), an **Event Hub name** (which you may see as `name` in the Azure CLI response when crating the Event Hub instance), and credentials to instantiate a client object.
 
-The example shown below uses a [`DefaultAzureCredential`][default_cred_ref], which is appropriate for most local development environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the [Azure Identity] documentation.
+The example shown below uses a `DeveloperToolsCredential`, which is appropriate for most local development environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the [Azure Identity] documentation.
 
-The `DefaultAzureCredential` will automatically pick up on an Azure CLI authentication. Ensure you are logged in with the Azure CLI:
+The `DeveloperToolsCredential` will automatically pick up on an Azure CLI authentication. Ensure you are logged in with the Azure CLI:
 
 ```azurecli
 az login
 ```
 
-Instantiate a `DefaultAzureCredential` to pass to the client. The same instance of a token credential can be used with multiple clients if they will be authenticating with the same identity.
+Instantiate a `DeveloperToolsCredential` to pass to the client. The same instance of a token credential can be used with multiple clients if they will be authenticating with the same identity.
 
 ### Create an Event Hubs message producer and send an event
 
 ```rust no_run
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_messaging_eventhubs::ProducerClient;
 
 #[tokio::main]
@@ -74,7 +74,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
     let eventhub = "<EVENTHUB_NAME>";
 
     // Create new credential
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
 
     // Create and open a new ProducerClient
     let producer = ProducerClient::builder()
@@ -125,14 +125,14 @@ Additional examples for various scenarios can be found on in the examples direct
 
 ```rust no_run
 use azure_core::Error;
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_messaging_eventhubs::ProducerClient;
 
 async fn open_producer_client() -> Result<ProducerClient, Error> {
     let host = "<EVENTHUBS_HOST>";
     let eventhub = "<EVENTHUB_NAME>";
 
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
 
     let producer = ProducerClient::builder()
         .open(host, eventhub, credential.clone())
@@ -183,14 +183,14 @@ async fn send_events(producer: &ProducerClient) -> Result<(), Error> {
 
 ```rust no_run
 use azure_core::Error;
-use azure_identity::DefaultAzureCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_messaging_eventhubs::ConsumerClient;
 
 async fn open_consumer_client() -> Result<ConsumerClient, Error> {
     let host = "<EVENTHUBS_HOST>".to_string();
     let eventhub = "<EVENTHUB_NAME>".to_string();
 
-    let credential = DefaultAzureCredential::new()?;
+    let credential = DeveloperToolsCredential::new(None)?;
 
     let consumer = azure_messaging_eventhubs::ConsumerClient::builder()
         .open(&host, eventhub, credential.clone())
@@ -287,12 +287,11 @@ Azure SDK for Rust is licensed under the [MIT](https://github.com/Azure/azure-sd
 [API reference documentation]: https://docs.rs/azure_messaging_eventhubs/latest/azure_messaging_eventhubs
 [Azure CLI]: https://learn.microsoft.com/cli/azure
 [Azure subscription]: https://azure.microsoft.com/free/
-[Azure Identity]: https://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/identity/azure_identity
+[Azure Identity]: https://aka.ms/azsdk/rust/identity/docs
 [Microsoft Open Source Code of Conduct]: https://opensource.microsoft.com/codeofconduct/
 [Product documentation]: https://learn.microsoft.com/azure/event-hubs/
 [Cargo]: https://crates.io/
 [Package (crates.io)]: https://crates.io/crates/azure_messaging_eventhubs
 [Source code]: https://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/eventhubs/azure_messaging_eventhubs/src
 [CONTRIBUTING.md]: https://github.com/Azure/azure-sdk-for-rust/blob/main/CONTRIBUTING.md
 [Code of Conduct FAQ]: https://opensource.microsoft.com/codeofconduct/faq/
-[default_cred_ref]: https://docs.rs/azure_identity/latest/azure_identity/struct.DefaultAzureCredential.html