feat: replaced DefaultAzureCredential with ManagedIdentityCredential (#1795)

Warren-Pitterson · web-flow · commit c784f5fc8d76 · 2026-01-23T13:40:13.000Z
diff --git a/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs b/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs
@@ -29,12 +29,12 @@
     {
         // Get CohortManager private key
         logger.LogInformation("Pulling Mesh Certificate from KeyVault");
-        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         var certificate = await certClient.DownloadCertificateAsync(config.MeshKeyName);
         cohortManagerPrivateKey = certificate.Value;
 
         // Get MESH public certificates (CA chain)
-        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         string base64Cert = (await secretClient.GetSecretAsync(config.MeshCertName)).Value.Value;
         meshCerts = CertificateHelper.GetCertificatesFromString(base64Cert);
     }
@@ -82,4 +82,3 @@
     logger.LogCritical(ex, "Failed to start up Function");
 }
 
-
diff --git a/application/CohortManager/src/Functions/NemsSubscriptionService/NemsMeshRetrieval/Program.cs b/application/CohortManager/src/Functions/NemsSubscriptionService/NemsMeshRetrieval/Program.cs
@@ -29,12 +29,12 @@
     {
         // Get CohortManager private key
         logger.LogInformation("Pulling Mesh Certificate from KeyVault");
-        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         var certificate = await certClient.DownloadCertificateAsync(config.NemsMeshKeyName);
         cohortManagerPrivateKey = certificate.Value;
 
         // Get MESH public certificates (CA chain)
-        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         string base64Cert = (await secretClient.GetSecretAsync(config.NemsMeshCertName)).Value.Value;
         meshCerts = CertificateHelper.GetCertificatesFromString(base64Cert);
     }
diff --git a/application/CohortManager/src/Functions/Shared/Common/Extensions/AzureQueueExtension.cs b/application/CohortManager/src/Functions/Shared/Common/Extensions/AzureQueueExtension.cs
@@ -27,7 +27,7 @@ public static IHostBuilder AddServiceBusClient(this IHostBuilder hostBuilder, st
                 else
                 {
                     builder.AddServiceBusClientWithNamespace(serviceBusConnectionString)
-                        .WithCredential(new DefaultAzureCredential());
+                        .WithCredential(new ManagedIdentityCredential ());
                 }
             });
             _.AddSingleton<IQueueClient, AzureServiceBusClient>();
@@ -68,7 +68,7 @@ public static IHostBuilder AddKeyedAzureQueues(this IHostBuilder hostBuilder, bo
                         else
                         {
                             builder.AddServiceBusClientWithNamespace(serviceBusConnectionString)
-                                .WithCredential(new DefaultAzureCredential());
+                                .WithCredential(new ManagedIdentityCredential ());
                         }
                     });
                     _.AddKeyedSingleton<IQueueClient, AzureServiceBusClient>(keyName);
diff --git a/application/CohortManager/src/Functions/Shared/Common/Extensions/ConfigurationExtension.cs b/application/CohortManager/src/Functions/Shared/Common/Extensions/ConfigurationExtension.cs
@@ -41,7 +41,7 @@ private static IConfiguration CreateConfiguration(string? keyVaultUrl = null, Li
         if(keyVaultUrl != null){
             try
             {
-                configBuilder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential(), new AzureKeyVaultConfigurationOptions());
+                configBuilder.AddAzureKeyVault(new Uri(keyVaultUrl), new ManagedIdentityCredential (), new AzureKeyVaultConfigurationOptions());
             }
             catch (Exception ex)
             {
diff --git a/application/CohortManager/src/Functions/Shared/Common/Extensions/JwtTokenExtension.cs b/application/CohortManager/src/Functions/Shared/Common/Extensions/JwtTokenExtension.cs
@@ -28,11 +28,11 @@ public static IHostBuilder AddJwtTokenSigning(this IHostBuilder hostBuilder, boo
         JwtPrivateKey jwtPrivateKey;
         try
         {
-            // Azure   
+            // Azure
             hostBuilder.AddConfiguration<JwtTokenServiceConfig>(out JwtTokenServiceConfig config);
             if (!string.IsNullOrEmpty(config.KeyVaultConnectionString))
             {
-                var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+                var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
                 Response<X509Certificate2> certResponse = certClient.DownloadCertificate(config.KeyNamePrivateKey);
 
                 logger.LogInformation("got certificate from key vault");

Original file line number	Diff line number	Diff line change
`@@ -29,12 +29,12 @@`
`29`	`29`	`{`
`30`	`30`	`// Get CohortManager private key`
`31`	`31`	`logger.LogInformation("Pulling Mesh Certificate from KeyVault");`
`32`		`- var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());`
	`32`	`+ var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());`
`33`	`33`	`var certificate = await certClient.DownloadCertificateAsync(config.MeshKeyName);`
`34`	`34`	`cohortManagerPrivateKey = certificate.Value;`
`35`	`35`
`36`	`36`	`// Get MESH public certificates (CA chain)`
`37`		`- var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());`
	`37`	`+ var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());`
`38`	`38`	`string base64Cert = (await secretClient.GetSecretAsync(config.MeshCertName)).Value.Value;`
`39`	`39`	`meshCerts = CertificateHelper.GetCertificatesFromString(base64Cert);`
`40`	`40`	`}`
`@@ -82,4 +82,3 @@`
`82`	`82`	`logger.LogCritical(ex, "Failed to start up Function");`
`83`	`83`	`}`
`84`	`84`
`85`		`-`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ public static IHostBuilder AddServiceBusClient(this IHostBuilder hostBuilder, st`
`27`	`27`	`else`
`28`	`28`	`{`
`29`	`29`	`builder.AddServiceBusClientWithNamespace(serviceBusConnectionString)`
`30`		`- .WithCredential(new DefaultAzureCredential());`
	`30`	`+ .WithCredential(new ManagedIdentityCredential ());`
`31`	`31`	`}`
`32`	`32`	`});`
`33`	`33`	`_.AddSingleton<IQueueClient, AzureServiceBusClient>();`
`@@ -68,7 +68,7 @@ public static IHostBuilder AddKeyedAzureQueues(this IHostBuilder hostBuilder, bo`
`68`	`68`	`else`
`69`	`69`	`{`
`70`	`70`	`builder.AddServiceBusClientWithNamespace(serviceBusConnectionString)`
`71`		`- .WithCredential(new DefaultAzureCredential());`
	`71`	`+ .WithCredential(new ManagedIdentityCredential ());`
`72`	`72`	`}`
`73`	`73`	`});`
`74`	`74`	`_.AddKeyedSingleton<IQueueClient, AzureServiceBusClient>(keyName);`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ private static IConfiguration CreateConfiguration(string? keyVaultUrl = null, Li`
`41`	`41`	`if(keyVaultUrl != null){`
`42`	`42`	`try`
`43`	`43`	`{`
`44`		`- configBuilder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential(), new AzureKeyVaultConfigurationOptions());`
	`44`	`+ configBuilder.AddAzureKeyVault(new Uri(keyVaultUrl), new ManagedIdentityCredential (), new AzureKeyVaultConfigurationOptions());`
`45`	`45`	`}`
`46`	`46`	`catch (Exception ex)`
`47`	`47`	`{`
Original file line number	Diff line number	Diff line change
`@@ -28,11 +28,11 @@ public static IHostBuilder AddJwtTokenSigning(this IHostBuilder hostBuilder, boo`
`28`	`28`	`JwtPrivateKey jwtPrivateKey;`
`29`	`29`	`try`
`30`	`30`	`{`
`31`		`- // Azure`
	`31`	`+ // Azure`
`32`	`32`	`hostBuilder.AddConfiguration<JwtTokenServiceConfig>(out JwtTokenServiceConfig config);`
`33`	`33`	`if (!string.IsNullOrEmpty(config.KeyVaultConnectionString))`
`34`	`34`	`{`
`35`		`- var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());`
	`35`	`+ var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());`
`36`	`36`	`Response<X509Certificate2> certResponse = certClient.DownloadCertificate(config.KeyNamePrivateKey);`
`37`	`37`
`38`	`38`	`logger.LogInformation("got certificate from key vault");`