[Identity] Add logging for managed identity (Azure#33144)

Closes Azure#32468

---------

Co-authored-by: Scott Addie <[email protected]>

Author: minhanh-phan

sdk/identity/identity/CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 4.7.1 (Unreleased)
 
 ### Features Added
+- `ManagedIdentityCredential` will now log the configured user-assigned managed identity ID. [#33144](https://github.com/Azure/azure-sdk-for-js/pull/33144)
 
 ### Breaking Changes
 
@@ -15,7 +16,7 @@
 
 ### Features Added
 
-- Added `subscription` property in `AzureCliCredentialOptions`. [#31451](https://github.com/Azure/azure-sdk-for-js/pull/31451).
+- Added `subscription` property in `AzureCliCredentialOptions`. [#31451](https://github.com/Azure/azure-sdk-for-js/pull/31451)
 
 ### Bugs Fixed
 

sdk/identity/identity/src/credentials/managedIdentityCredential/index.ts

@@ -96,7 +96,11 @@ export class ManagedIdentityCredential implements TokenCredential {
     this.objectId = (_options as ManagedIdentityCredentialObjectIdOptions)?.objectId;
 
     // For JavaScript users.
-    const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);
+    const providedIds = [
+      { key: "clientId", value: this.clientId },
+      { key: "resourceId", value: this.resourceId },
+      { key: "objectId", value: this.objectId },
+    ].filter((id) => id.value);
     if (providedIds.length > 1) {
       throw new Error(
         `ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify(
@@ -177,6 +181,14 @@ export class ManagedIdentityCredential implements TokenCredential {
         );
       }
     }
+
+    logger.info(`Using ${managedIdentitySource} managed identity.`);
+
+    // Check if either clientId, resourceId or objectId was provided and log the value used
+    if (providedIds.length === 1) {
+      const { key, value } = providedIds[0];
+      logger.info(`${managedIdentitySource} with ${key}: ${value}`);
+    }
   }
 
   /**

sdk/identity/identity/test/internal/node/managedIdentityCredential/msalMsiProvider.spec.ts

@@ -1,6 +1,10 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
-import type { AuthenticationResult, ManagedIdentityRequestParams } from "@azure/msal-node";
+import type {
+  AuthenticationResult,
+  ManagedIdentityRequestParams,
+  ManagedIdentitySourceNames,
+} from "@azure/msal-node";
 import { AuthError, ManagedIdentityApplication } from "@azure/msal-node";
 import { ManagedIdentityCredential } from "../../../../src/credentials/managedIdentityCredential/index.js";
 import { tokenExchangeMsi } from "../../../../src/credentials/managedIdentityCredential/tokenExchangeMsi.js";
@@ -11,6 +15,7 @@ import type { AccessToken, GetTokenOptions } from "@azure/core-auth";
 import { describe, it, assert, expect, vi, beforeEach, afterEach, type MockInstance } from "vitest";
 import type { IdentityClient } from "../../../../src/client/identityClient.js";
 import { serviceFabricErrorMessage } from "../../../../src/credentials/managedIdentityCredential/utils.js";
+import { logger } from "../../../../src/index.js";
 
 describe("ManagedIdentityCredential (MSAL)", function () {
   let acquireTokenStub: MockInstance<
@@ -115,6 +120,54 @@ describe("ManagedIdentityCredential (MSAL)", function () {
           `ManagedIdentityCredential: ${serviceFabricErrorMessage}`,
         );
       });
+
+      it("logs authentication", async function () {
+        const logSpy = vi.spyOn(logger, "info");
+        vi.spyOn(ManagedIdentityApplication.prototype, "getManagedIdentitySource").mockReturnValue(
+          "ServiceFabric",
+        );
+        new ManagedIdentityCredential();
+
+        expect(logSpy).toHaveBeenCalledTimes(1);
+        expect(logSpy).toHaveBeenCalledWith(
+          "ManagedIdentityCredential =>",
+          "Using ServiceFabric managed identity.",
+        );
+
+        logSpy.mockRestore();
+      });
+    });
+
+    describe("log user-assigned managed Identity", function () {
+      const testCases = [
+        { idType: "clientId", idValue: "fakeClientID", source: "DefaultToImds" },
+        { idType: "objectId", idValue: "fakeObjectID", source: "Imds" },
+        { idType: "resourceId", idValue: "fakeResourceID", source: "AppService" },
+      ];
+
+      testCases.forEach(({ idType, idValue, source }) => {
+        it(`logs ${idType}`, async function () {
+          const logSpy = vi.spyOn(logger, "info");
+          vi.spyOn(
+            ManagedIdentityApplication.prototype,
+            "getManagedIdentitySource",
+          ).mockReturnValue(source as ManagedIdentitySourceNames);
+
+          new ManagedIdentityCredential({ [idType]: idValue });
+
+          expect(logSpy).toHaveBeenCalledTimes(2);
+          expect(logSpy).toHaveBeenCalledWith(
+            "ManagedIdentityCredential =>",
+            `Using ${source} managed identity.`,
+          );
+          expect(logSpy).toHaveBeenCalledWith(
+            "ManagedIdentityCredential =>",
+            `${source} with ${idType}: ${idValue}`,
+          );
+
+          logSpy.mockRestore();
+        });
+      });
     });
   });