Move managed identity credentials behind ManagedIdentityCredential (Azure#2409)

Author: chlowell

sdk/identity/.dict.txt

@@ -3,6 +3,9 @@ appservice
 azureauth
 clientcertificate
 clientsecret
+cloudshell
 imds
+managedidentity
 msal
+replacen
 workloadidentity

sdk/identity/azure_identity/CHANGELOG.md

@@ -17,6 +17,7 @@
 - Removed `get_subscription()` and `get_tenant()` from `AzureCliCredential`.
 - `WorkloadIdentityCredential` constructors moved some parameters to an `Option<ClientAssertionCredentialOptions>` parameter.
 - Removed `clear_cache()` from all credential types
+- Replaced `AppServiceManagedIdentityCredential`, `VirtualMachineManagedIdentityCredential`, and `ImdsId` with `ManagedIdentityCredential` and `UserAssignedId`
 
 ### Bugs Fixed
 

sdk/identity/azure_identity/README.md

@@ -78,7 +78,7 @@ authentication flows. For more details on this scenario see [Configure an applic
 
 ```rust no_run
 use azure_core::credentials::{AccessToken, TokenCredential};
-use azure_identity::{ClientAssertion, ClientAssertionCredential, ImdsId, TokenCredentialOptions, VirtualMachineManagedIdentityCredential};
+use azure_identity::{ClientAssertion, ClientAssertionCredential, TokenCredentialOptions, ManagedIdentityCredential};
 use std::sync::Arc;
 
 #[derive(Debug)]
@@ -104,10 +104,7 @@ impl ClientAssertion for VmClientAssertion {
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
         let assertion = VmClientAssertion {
-        credential: VirtualMachineManagedIdentityCredential::new(
-            ImdsId::SystemAssigned,
-            TokenCredentialOptions::default(),
-        )?,
+        credential: ManagedIdentityCredential::new(None)?,
         scope: String::from("api://AzureADTokenExchange/.default"),
     };
 

sdk/identity/azure_identity/examples/specific_credential.rs

@@ -9,8 +9,7 @@ use azure_core::{
 #[cfg(not(target_arch = "wasm32"))]
 use azure_identity::AzureCliCredential;
 use azure_identity::{
-    AppServiceManagedIdentityCredential, ImdsId, TokenCredentialOptions,
-    VirtualMachineManagedIdentityCredential, WorkloadIdentityCredential,
+    ManagedIdentityCredential, TokenCredentialOptions, WorkloadIdentityCredential,
 };
 use std::sync::Arc;
 
@@ -49,17 +48,15 @@ const AZURE_CREDENTIAL_KIND: &str = "AZURE_CREDENTIAL_KIND";
 mod azure_credential_kinds {
     #[cfg(not(target_arch = "wasm32"))]
     pub const AZURE_CLI: &str = "azurecli";
-    pub const VIRTUAL_MACHINE: &str = "virtualmachine";
-    pub const APP_SERVICE: &str = "appservice";
+    pub const MANAGED_IDENTITY: &str = "managedidentity";
     pub const WORKLOAD_IDENTITY: &str = "workloadidentity";
 }
 
 #[derive(Debug)]
 enum SpecificAzureCredentialKind {
     #[cfg(not(target_arch = "wasm32"))]
     AzureCli(Arc<AzureCliCredential>),
-    VirtualMachine(Arc<VirtualMachineManagedIdentityCredential>),
-    AppService(Arc<AppServiceManagedIdentityCredential>),
+    ManagedIdentity(Arc<ManagedIdentityCredential>),
     WorkloadIdentity(Arc<WorkloadIdentityCredential>),
 }
 
@@ -70,10 +67,7 @@ impl TokenCredential for SpecificAzureCredentialKind {
         match self {
             #[cfg(not(target_arch = "wasm32"))]
             SpecificAzureCredentialKind::AzureCli(credential) => credential.get_token(scopes).await,
-            SpecificAzureCredentialKind::VirtualMachine(credential) => {
-                credential.get_token(scopes).await
-            }
-            SpecificAzureCredentialKind::AppService(credential) => {
+            SpecificAzureCredentialKind::ManagedIdentity(credential) => {
                 credential.get_token(scopes).await
             }
             SpecificAzureCredentialKind::WorkloadIdentity(credential) => {
@@ -97,21 +91,16 @@ impl SpecificAzureCredential {
         let source: SpecificAzureCredentialKind =
             // case insensitive and allow spaces
             match credential_type.replace(' ', "").to_lowercase().as_str() {
-                azure_credential_kinds::APP_SERVICE => {
-                    AppServiceManagedIdentityCredential::new(options)
-                        .map(SpecificAzureCredentialKind::AppService)
+                azure_credential_kinds::MANAGED_IDENTITY => {
+                    ManagedIdentityCredential::new(None)
+                        .map(SpecificAzureCredentialKind::ManagedIdentity)
                         .with_context(ErrorKind::Credential, || {
                             format!(
                                 "unable to create AZURE_CREDENTIAL_KIND of {}",
-                                azure_credential_kinds::APP_SERVICE
+                                azure_credential_kinds::MANAGED_IDENTITY
                             )
                         })?
                 }
-                azure_credential_kinds::VIRTUAL_MACHINE => {
-                    SpecificAzureCredentialKind::VirtualMachine(
-                        VirtualMachineManagedIdentityCredential::new(ImdsId::SystemAssigned, options)?,
-                    )
-                }
                 #[cfg(not(target_arch = "wasm32"))]
                 azure_credential_kinds::AZURE_CLI => AzureCliCredential::new(Some(options.into()))
                     .map(SpecificAzureCredentialKind::AzureCli)

sdk/identity/azure_identity/src/credentials/app_service_managed_identity_credential.rs

@@ -19,7 +19,10 @@ pub struct AppServiceManagedIdentityCredential {
 }
 
 impl AppServiceManagedIdentityCredential {
-    pub fn new(options: impl Into<TokenCredentialOptions>) -> azure_core::Result<Arc<Self>> {
+    pub fn new(
+        id: ImdsId,
+        options: impl Into<TokenCredentialOptions>,
+    ) -> azure_core::Result<Arc<Self>> {
         let options = options.into();
         let env = options.env();
         let endpoint = &env
@@ -43,7 +46,7 @@ impl AppServiceManagedIdentityCredential {
                 API_VERSION,
                 SECRET_HEADER,
                 SECRET_ENV,
-                ImdsId::SystemAssigned,
+                id,
             ),
         }))
     }

sdk/identity/azure_identity/src/credentials/imds_managed_identity_credentials.rs

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-use crate::{credentials::cache::TokenCache, TokenCredentialOptions};
+use crate::{credentials::cache::TokenCache, env::Env, TokenCredentialOptions, UserAssignedId};
 use azure_core::{
     credentials::{AccessToken, Secret, TokenCredential},
     error::{http_response_from_body, Error, ErrorKind},
@@ -31,6 +31,16 @@ pub enum ImdsId {
     MsiResId(String),
 }
 
+impl From<UserAssignedId> for ImdsId {
+    fn from(user_assigned_id: UserAssignedId) -> Self {
+        match user_assigned_id {
+            UserAssignedId::ClientId(client_id) => ImdsId::ClientId(client_id),
+            UserAssignedId::ObjectId(object_id) => ImdsId::ObjectId(object_id),
+            UserAssignedId::ResourceId(resource_id) => ImdsId::MsiResId(resource_id),
+        }
+    }
+}
+
 /// Attempts authentication using a managed identity that has been assigned to the deployment environment.
 ///
 /// This authentication type works in Azure VMs, App Service and Azure Functions applications, as well as the Azure Cloud Shell
@@ -45,6 +55,7 @@ pub(crate) struct ImdsManagedIdentityCredential {
     secret_env: String,
     id: ImdsId,
     cache: TokenCache,
+    env: Env,
 }
 
 impl ImdsManagedIdentityCredential {
@@ -65,6 +76,7 @@ impl ImdsManagedIdentityCredential {
             secret_env: secret_env.to_owned(),
             id,
             cache: TokenCache::new(),
+            env: options.env().clone(),
         }
     }
 
@@ -90,7 +102,7 @@ impl ImdsManagedIdentityCredential {
 
         req.insert_header("metadata", "true");
 
-        let msi_secret = std::env::var(&self.secret_env);
+        let msi_secret = self.env.var(&self.secret_env);
         if let Ok(val) = msi_secret {
             req.insert_header(self.secret_header.clone(), val);
         };

sdk/identity/azure_identity/src/credentials/mod.rs

@@ -21,15 +21,15 @@ mod options;
 mod virtual_machine_managed_identity_credential;
 mod workload_identity_credentials;
 
-pub use app_service_managed_identity_credential::*;
+pub(crate) use app_service_managed_identity_credential::*;
 #[cfg(not(target_arch = "wasm32"))]
 pub use azure_cli_credentials::*;
 pub use client_assertion_credentials::*;
 #[cfg(feature = "client_certificate")]
 pub use client_certificate_credentials::*;
 pub use default_azure_credentials::*;
-pub use imds_managed_identity_credentials::ImdsId;
+pub(crate) use imds_managed_identity_credentials::ImdsId;
 pub(crate) use imds_managed_identity_credentials::*;
 pub use options::*;
-pub use virtual_machine_managed_identity_credential::*;
+pub(crate) use virtual_machine_managed_identity_credential::*;
 pub use workload_identity_credentials::*;

sdk/identity/azure_identity/src/lib.rs

@@ -10,6 +10,7 @@ mod chained_token_credential;
 mod credentials;
 mod env;
 mod federated_credentials_flow;
+mod managed_identity_credential;
 mod oauth2_http_client;
 mod refresh_token;
 mod timeout;
@@ -18,6 +19,7 @@ use azure_core::{error::ErrorKind, Error, Result};
 pub use azure_pipelines_credential::*;
 pub use chained_token_credential::*;
 pub use credentials::*;
+pub use managed_identity_credential::*;
 use std::borrow::Cow;
 
 fn validate_not_empty<C>(value: &str, message: C) -> Result<()>
@@ -108,3 +110,9 @@ fn test_validate_tenant_id() {
     assert!(validate_tenant_id("A-1.z").is_ok());
     assert!(validate_tenant_id("7b795fb9-09d3-42f4-a494-38864f99ba3c").is_ok());
 }
+
+#[cfg(test)]
+mod tests {
+    pub const LIVE_TEST_RESOURCE: &str = "https://management.azure.com";
+    pub const LIVE_TEST_SCOPES: &[&str] = &["https://management.azure.com/.default"];
+}