[Identity] Add env var enforcement flag to DAC (Azure#42660)

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -4,7 +4,8 @@
 
 ### Features Added
 
-- `AzureDeveloperCliCredential` now supports `claims` in `get_token` and `get_token_info`.  ([#42568](https://github.com/Azure/azure-sdk-for-python/pull/42568))
+- `AzureDeveloperCliCredential` now supports `claims` in `get_token` and `get_token_info`. ([#42568](https://github.com/Azure/azure-sdk-for-python/pull/42568))
+- Added new keyword argument `require_envvar` to `DefaultAzureCredential` to enforce the presence of the `AZURE_TOKEN_CREDENTIALS` environment variable. ([#42660](https://github.com/Azure/azure-sdk-for-python/pull/42660))
 
 ### Breaking Changes
 

sdk/identity/azure-identity/azure/identity/_credentials/default.py

@@ -126,6 +126,9 @@ class DefaultAzureCredential(ChainedTokenCredential):
         record file used by the Azure Resources extension.
     :keyword int process_timeout: The timeout in seconds to use for developer credentials that run
         subprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to **10** seconds.
+    :keyword bool require_envvar: If **True**, require that the AZURE_TOKEN_CREDENTIALS environment variable be set
+        to a value denoting the credential type or credential group to use. If unset or empty, DefaultAzureCredential
+        will raise a `ValueError`. Defaults to **False**.
 
     .. admonition:: Example:
 
@@ -168,6 +171,12 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
         )
 
         process_timeout = kwargs.pop("process_timeout", 10)
+        require_envvar = kwargs.pop("require_envvar", False)
+        if require_envvar and not os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS):
+            raise ValueError(
+                "AZURE_TOKEN_CREDENTIALS environment variable is required but is not set or is empty. "
+                "Set it to 'dev', 'prod', or a specific credential name."
+            )
 
         # Define credential configuration mapping
         credential_config = {

sdk/identity/azure-identity/azure/identity/aio/_credentials/default.py

@@ -106,6 +106,9 @@ class DefaultAzureCredential(ChainedTokenCredential):
         record file used by the Azure Resources extension.
     :keyword int process_timeout: The timeout in seconds to use for developer credentials that run
         subprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to **10** seconds.
+    :keyword bool require_envvar: If **True**, require that the AZURE_TOKEN_CREDENTIALS environment variable be set
+        to a value denoting the credential type or credential group to use. If unset or empty, DefaultAzureCredential
+        will raise a `ValueError`. Defaults to **False**.
 
     .. admonition:: Example:
 
@@ -140,6 +143,12 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
         )
 
         process_timeout = kwargs.pop("process_timeout", 10)
+        require_envvar = kwargs.pop("require_envvar", False)
+        if require_envvar and not os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS):
+            raise ValueError(
+                "AZURE_TOKEN_CREDENTIALS environment variable is required but is not set or is empty. "
+                "Set it to 'dev', 'prod', or a specific credential name."
+            )
 
         # Define credential configuration mapping (async version)
         credential_config = {

sdk/identity/azure-identity/tests/test_default.py

@@ -570,3 +570,10 @@ def test_failed_dac_credential_in_chain():
     # The error should mention the failed credentials
     error_str = str(exc_info.value)
     assert "workload identity error" in error_str or "test credential error" in error_str
+
+
+def test_require_envvar_raises_error_when_envvar_missing():
+    with patch.dict("os.environ", {}, clear=True):
+        with pytest.raises(ValueError) as exc_info:
+            DefaultAzureCredential(require_envvar=True)
+        assert "AZURE_TOKEN_CREDENTIALS" in str(exc_info.value)

sdk/identity/azure-identity/tests/test_default_async.py

@@ -412,3 +412,11 @@ async def test_failed_dac_credential_in_chain():
     # The error should mention the failed credentials
     error_str = str(exc_info.value)
     assert "workload identity error" in error_str or "test credential error" in error_str
+
+
+@pytest.mark.asyncio
+async def test_require_envvar_raises_error_when_envvar_missing():
+    with patch.dict("os.environ", {}, clear=True):
+        with pytest.raises(ValueError) as exc_info:
+            DefaultAzureCredential(require_envvar=True)
+        assert "AZURE_TOKEN_CREDENTIALS" in str(exc_info.value)