Implement AZURE_TOKEN_CREDENTIALS (Azure#50021)

Author: christothes

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -1,11 +1,12 @@
 # Release History
 
-## 1.14.0 (2025-05-12)
+## 1.14.0 (2025-05-13)
 
 ### Other Changes
 
 - Removed references to `Username`, `Password`, `AZURE_USERNAME`, and `AZURE_PASSWORD` in XML comments from `EnvironmentCredentialOptions` and `EnvironmentCredential` due to lack of MFA support. See [MFA enforcement details](https://aka.ms/azsdk/identity/mfa).
 - Marked `AZURE_USERNAME` and `AZURE_PASSWORD` as obsolete due to lack of MFA support. See [MFA enforcement details](https://aka.ms/azsdk/identity/mfa).
+- Added support for the `AZURE_TOKEN_CREDENTIALS` environment variable to `DefaultAzureCredential`, which allows for choosing between 'deployed service' and 'developer tools' credentials. Valid values are 'dev' for developer tools and 'prod' for deployed service.
 
 ## 1.14.0-beta.4 (2025-05-01)
 

sdk/identity/Azure.Identity/src/Constants.cs

@@ -37,5 +37,9 @@ internal class Constants
         public const string ManagedIdentityResourceId = "mi_res_id";
         public const string MiSourceNoUserAssignedIdentityMessage = "User-assigned managed identity is not supported by the detected managed identity environment.";
         public const string MiSeviceFabricNoUserAssignedIdentityMessage = "Specifying a clientId or resourceId is not supported by the Service Fabric managed identity environment. The managed identity configuration is determined by the Service Fabric cluster resource configuration. See https://aka.ms/servicefabricmi for more information.";
+
+        // Credential selection options
+        public const string DevCredentials = "dev";
+        public const string ProdCredentials = "prod";
     }
 }

sdk/identity/Azure.Identity/src/DefaultAzureCredentialFactory.cs

@@ -3,7 +3,6 @@
 
 using System;
 using System.Collections.Generic;
-using System.Diagnostics.CodeAnalysis;
 using System.Reflection;
 using Azure.Core;
 
@@ -21,9 +20,7 @@ public DefaultAzureCredentialFactory(DefaultAzureCredentialOptions options)
         protected DefaultAzureCredentialFactory(DefaultAzureCredentialOptions options, CredentialPipeline pipeline)
         {
             Pipeline = pipeline;
-
             _useDefaultCredentialChain = options == null;
-
             Options = options?.Clone<DefaultAzureCredentialOptions>() ?? new DefaultAzureCredentialOptions();
         }
 
@@ -32,70 +29,104 @@ protected DefaultAzureCredentialFactory(DefaultAzureCredentialOptions options, C
 
         public TokenCredential[] CreateCredentialChain()
         {
-            if (_useDefaultCredentialChain)
-            {
-                return s_defaultCredentialChain;
-            }
-
-            List<TokenCredential> chain = new(10);
+            string credentialSelection = EnvironmentVariables.CredentialSelection?.Trim();
+            bool _useDevCredentials = Constants.DevCredentials.Equals(credentialSelection, StringComparison.OrdinalIgnoreCase);
+            bool _useProdCredentials = Constants.ProdCredentials.Equals(credentialSelection, StringComparison.OrdinalIgnoreCase);
 
-            if (!Options.ExcludeEnvironmentCredential)
+            if (credentialSelection != null && !_useDevCredentials && !_useProdCredentials)
             {
-                chain.Add(CreateEnvironmentCredential());
+                throw new InvalidOperationException($"Invalid value for environment variable AZURE_TOKEN_CREDENTIALS: {credentialSelection}. Valid values are '{Constants.DevCredentials}' or '{Constants.ProdCredentials}'.");
             }
 
-            if (!Options.ExcludeWorkloadIdentityCredential)
+            if (_useDefaultCredentialChain)
             {
-                chain.Add(CreateWorkloadIdentityCredential());
+                if (_useDevCredentials)
+                {
+                    return
+                    [
+                        CreateVisualStudioCredential(),
+                        CreateAzureCliCredential(),
+                        CreateAzurePowerShellCredential(),
+                        CreateAzureDeveloperCliCredential()
+                    ];
+                }
+                else if (_useProdCredentials)
+                {
+                    return
+                    [
+                        CreateEnvironmentCredential(),
+                        CreateWorkloadIdentityCredential(),
+                        CreateManagedIdentityCredential()
+                    ];
+                }
+                return s_defaultCredentialChain;
             }
 
-            if (!Options.ExcludeManagedIdentityCredential)
-            {
-                chain.Add(CreateManagedIdentityCredential());
-            }
+            List<TokenCredential> chain = new(10);
 
-            if (!Options.ExcludeSharedTokenCacheCredential)
+            if (!_useDevCredentials)
             {
-                chain.Add(CreateSharedTokenCacheCredential());
+                if (!Options.ExcludeEnvironmentCredential)
+                {
+                    chain.Add(CreateEnvironmentCredential());
+                }
+
+                if (!Options.ExcludeWorkloadIdentityCredential)
+                {
+                    chain.Add(CreateWorkloadIdentityCredential());
+                }
+
+                if (!Options.ExcludeManagedIdentityCredential)
+                {
+                    chain.Add(CreateManagedIdentityCredential());
+                }
             }
 
-            if (!Options.ExcludeVisualStudioCredential)
+            if (!_useProdCredentials)
             {
-                chain.Add(CreateVisualStudioCredential());
-            }
+                if (!Options.ExcludeSharedTokenCacheCredential)
+                {
+                    chain.Add(CreateSharedTokenCacheCredential());
+                }
+
+                if (!Options.ExcludeVisualStudioCredential)
+                {
+                    chain.Add(CreateVisualStudioCredential());
+                }
 
 #pragma warning disable CS0618 // Type or member is obsolete
-            if (!Options.ExcludeVisualStudioCodeCredential)
-            {
-                chain.Add(CreateVisualStudioCodeCredential());
-            }
+                if (!Options.ExcludeVisualStudioCodeCredential)
+                {
+                    chain.Add(CreateVisualStudioCodeCredential());
+                }
 #pragma warning restore CS0618 // Type or member is obsolete
 
-            if (!Options.ExcludeAzureCliCredential)
-            {
-                chain.Add(CreateAzureCliCredential());
-            }
-
-            if (!Options.ExcludeAzurePowerShellCredential)
-            {
-                chain.Add(CreateAzurePowerShellCredential());
-            }
-
-            if (!Options.ExcludeAzureDeveloperCliCredential)
-            {
-                chain.Add(CreateAzureDeveloperCliCredential());
-            }
-
-            if (!Options.ExcludeInteractiveBrowserCredential)
-            {
-                chain.Add(CreateInteractiveBrowserCredential());
-            }
+                if (!Options.ExcludeAzureCliCredential)
+                {
+                    chain.Add(CreateAzureCliCredential());
+                }
+
+                if (!Options.ExcludeAzurePowerShellCredential)
+                {
+                    chain.Add(CreateAzurePowerShellCredential());
+                }
+
+                if (!Options.ExcludeAzureDeveloperCliCredential)
+                {
+                    chain.Add(CreateAzureDeveloperCliCredential());
+                }
+
+                if (!Options.ExcludeInteractiveBrowserCredential)
+                {
+                    chain.Add(CreateInteractiveBrowserCredential());
+                }
 #if PREVIEW_FEATURE_FLAG
-            if (!Options.ExcludeBrokerCredential && TryCreateDevelopmentBrokerOptions(out InteractiveBrowserCredentialOptions brokerOptions))
-            {
-                chain.Add(CreateBrokerAuthenticationCredential(brokerOptions));
-            }
+                if (!Options.ExcludeBrokerCredential && TryCreateDevelopmentBrokerOptions(out InteractiveBrowserCredentialOptions brokerOptions))
+                {
+                    chain.Add(CreateBrokerAuthenticationCredential(brokerOptions));
+                }
 #endif
+            }
             if (chain.Count == 0)
             {
                 throw new ArgumentException("At least one credential type must be included in the authentication flow.", "options");

sdk/identity/Azure.Identity/src/EnvironmentVariables.cs

@@ -33,6 +33,8 @@ internal class EnvironmentVariables
 
         public static string AzureFederatedTokenFile => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_FEDERATED_TOKEN_FILE"));
 
+        public static string CredentialSelection => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_TOKEN_CREDENTIALS"));
+
         private static string GetNonEmptyStringOrNull(string str)
         {
             return !string.IsNullOrEmpty(str) ? str : null;