[3.0] Change default AZ creds to AZ CLI creds. (microsoft#14477)

PawelWMS · web-flow · commit ea9026a398a9 · 2025-08-13T20:48:08.000-07:00
Internal Microsoft policy requires us to not use NewDefaultAzureCredential when logging into Azure. In all cases where we used the default method in our builds we relied on Azure CLI credentials, thus the switch to NewAzureCLICredential.

For more information see the AzureCLICredential docs.

The change also has minor Go linting clean-up.
diff --git a/toolkit/tools/internal/azureblobstorage/azureblobstorage.go b/toolkit/tools/internal/azureblobstorage/azureblobstorage.go
@@ -19,7 +19,7 @@ import (
 const (
 	AnonymousAccess        = 0
 	ServicePrincipalAccess = 1
-	ManagedIdentityAccess  = 2
+	AzureCLIAccess         = 2
 )
 
 type AzureBlobStorage struct {
@@ -36,13 +36,13 @@ func (abs *AzureBlobStorage) Upload(
 
 	localFile, err := os.OpenFile(localFileName, os.O_RDONLY, 0)
 	if err != nil {
-		return fmt.Errorf("Failed to open local file for upload:\n%w", err)
+		return fmt.Errorf("failed to open local file for upload:\n%w", err)
 	}
 	defer localFile.Close()
 
 	_, err = abs.theClient.UploadFile(ctx, containerName, blobName, localFile, nil)
 	if err != nil {
-		return fmt.Errorf("Failed to upload local file to blob:\n%w", err)
+		return fmt.Errorf("failed to upload local file to blob:\n%w", err)
 	}
 
 	uploadEndTime := time.Now()
@@ -80,7 +80,7 @@ func (abs *AzureBlobStorage) Download(
 
 	_, err = abs.theClient.DownloadFile(ctx, containerName, blobName, localFile, nil)
 	if err != nil {
-		return fmt.Errorf("Failed to download blob to local file:\n%w", err)
+		return fmt.Errorf("failed to download blob to local file:\n%w", err)
 	}
 
 	downloadEndTime := time.Now()
@@ -97,7 +97,7 @@ func (abs *AzureBlobStorage) Delete(
 	deleteStartTime := time.Now()
 	_, err = abs.theClient.DeleteBlob(ctx, containerName, blobName, nil)
 	if err != nil {
-		return fmt.Errorf("Failed to delete blob:\n%w", err)
+		return fmt.Errorf("failed to delete blob:\n%w", err)
 	}
 	deleteEndTime := time.Now()
 	logger.Log.Infof("  delete time: %v", deleteEndTime.Sub(deleteStartTime))
@@ -106,49 +106,45 @@ func (abs *AzureBlobStorage) Delete(
 }
 
 func Create(tenantId string, userName string, password string, storageAccount string, authenticationType int) (abs *AzureBlobStorage, err error) {
-
 	url := "https://" + storageAccount + ".blob.core.windows.net/"
 
 	abs = &AzureBlobStorage{}
 
-	if authenticationType == AnonymousAccess {
-
+	switch authenticationType {
+	case AnonymousAccess:
 		abs.theClient, err = azblob.NewClientWithNoCredential(url, nil)
 		if err != nil {
-			return nil, fmt.Errorf("Unable to init azure blob storage read-only client:\n%w", err)
+			return nil, fmt.Errorf("unable to init azure blob storage read-only client:\n%w", err)
 		}
 
 		return abs, nil
 
-	} else if authenticationType == ServicePrincipalAccess {
-
+	case ServicePrincipalAccess:
 		credential, err := azidentity.NewClientSecretCredential(tenantId, userName, password, nil)
 		if err != nil {
-			return nil, fmt.Errorf("Unable to init azure service principal identity:\n%w", err)
+			return nil, fmt.Errorf("unable to init azure service principal identity:\n%w", err)
 		}
 
 		abs.theClient, err = azblob.NewClient(url, credential, nil)
 		if err != nil {
-			return nil, fmt.Errorf("Unable to init azure blob storage read-write client:\n%w", err)
+			return nil, fmt.Errorf("unable to init azure blob storage read-write client:\n%w", err)
 		}
 
 		return abs, nil
 
-	} else if authenticationType == ManagedIdentityAccess {
-
-		credential, err := azidentity.NewDefaultAzureCredential(nil)
+	case AzureCLIAccess:
+		credential, err := azidentity.NewAzureCLICredential(nil)
 		if err != nil {
-			return nil, fmt.Errorf("Unable to init azure managed identity:\n%w", err)
+			return nil, fmt.Errorf("unable to init azure managed identity:\n%w", err)
 		}
 
 		abs.theClient, err = azblob.NewClient(url, credential, nil)
 		if err != nil {
-			return nil, fmt.Errorf("Unable to init azure blob storage read-write client:\n%w", err)
+			return nil, fmt.Errorf("unable to init azure blob storage read-write client:\n%w", err)
 		}
 
 		return abs, nil
-
 	}
 
-	return nil, errors.New("Unknown authentication type.")
+	return nil, errors.New("unknown authentication type")
 }
diff --git a/toolkit/tools/internal/ccachemanager/ccachemanager.go b/toolkit/tools/internal/ccachemanager/ccachemanager.go
@@ -454,7 +454,7 @@ func CreateManager(rootDir string, configFileName string) (m *CCacheManager, err
 	logger.Log.Infof("  creating blob storage client...")
 	accessType := azureblobstorage.AnonymousAccess
 	if configuration.RemoteStoreConfig.UploadEnabled {
-		accessType = azureblobstorage.ManagedIdentityAccess
+		accessType = azureblobstorage.AzureCLIAccess
 	}
 
 	azureBlobStorage, err := azureblobstorage.Create(configuration.RemoteStoreConfig.TenantId, configuration.RemoteStoreConfig.UserName, configuration.RemoteStoreConfig.Password, configuration.RemoteStoreConfig.StorageAccount, accessType)

Original file line number	Diff line number	Diff line change
`@@ -454,7 +454,7 @@ func CreateManager(rootDir string, configFileName string) (m *CCacheManager, err`
`454`	`454`	`logger.Log.Infof(" creating blob storage client...")`
`455`	`455`	`accessType := azureblobstorage.AnonymousAccess`
`456`	`456`	`if configuration.RemoteStoreConfig.UploadEnabled {`
`457`		`- accessType = azureblobstorage.ManagedIdentityAccess`
	`457`	`+ accessType = azureblobstorage.AzureCLIAccess`
`458`	`458`	`}`
`459`	`459`
`460`	`460`	`azureBlobStorage, err := azureblobstorage.Create(configuration.RemoteStoreConfig.TenantId, configuration.RemoteStoreConfig.UserName, configuration.RemoteStoreConfig.Password, configuration.RemoteStoreConfig.StorageAccount, accessType)`