Default AZURE_TOKEN_CREDENTIALS env var when running in Azure (#11832)

eerhardt · web-flow · commit 9c6557fd81c8 · 2025-10-08T06:03:33.000-05:00
* Default AZURE_TOKEN_CREDENTIALS env var when running in Azure

This environment variable tells DefaultAzureCredential to only use the ManagedIdentityCredential.

* Fix last test
diff --git a/src/Aspire.Hosting.Azure.AppContainers/BaseContainerAppContext.cs b/src/Aspire.Hosting.Azure.AppContainers/BaseContainerAppContext.cs
@@ -75,6 +75,13 @@ protected void AddAzureClientId(IAppIdentityResource? appIdentityResource, Bicep
                 Name = "AZURE_CLIENT_ID",
                 Value = AllocateParameter(appIdentityResource.ClientId)
             });
+
+            // DefaultAzureCredential should only use ManagedIdentityCredential when running in Azure
+            env.Add(new ContainerAppEnvironmentVariable
+            {
+                Name = "AZURE_TOKEN_CREDENTIALS",
+                Value = "ManagedIdentityCredential"
+            });
         }
     }
 
diff --git a/src/Aspire.Hosting.Azure.AppService/AzureAppServiceWebsiteContext.cs b/src/Aspire.Hosting.Azure.AppService/AzureAppServiceWebsiteContext.cs
@@ -311,6 +311,13 @@ static FunctionCallExpression Join(BicepExpression args, string delimeter) =>
                 Name = "AZURE_CLIENT_ID",
                 Value = appIdentityResource.ClientId.AsProvisioningParameter(infra)
             });
+
+            // DefaultAzureCredential should only use ManagedIdentityCredential when running in Azure
+            webSite.SiteConfig.AppSettings.Add(new AppServiceNameValuePair
+            {
+                Name = "AZURE_TOKEN_CREDENTIALS",
+                Value = "ManagedIdentityCredential"
+            });
         }
 
         // Added appsetting to identify the resource in a specific aspire environment
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.KeyvaultReferenceHandling.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureAppServiceTests.KeyvaultReferenceHandling.verified.bicep
@@ -93,6 +93,10 @@ resource webapp 'Microsoft.Web/sites@2024-11-01' = {
           name: 'AZURE_CLIENT_ID'
           value: api_identity_outputs_clientid
         }
+        {
+          name: 'AZURE_TOKEN_CREDENTIALS'
+          value: 'ManagedIdentityCredential'
+        }
         {
           name: 'ASPIRE_ENVIRONMENT_NAME'
           value: 'env'
@@ -141,4 +145,4 @@ resource api_ra 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
     principalType: 'ServicePrincipal'
   }
   scope: webapp
-}
+}
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.AzureContainerAppsBicepGenerationIsIdempotent.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.AzureContainerAppsBicepGenerationIsIdempotent.verified.bicep
@@ -79,6 +79,10 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {
               name: 'AZURE_CLIENT_ID'
               value: api_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
@@ -93,4 +97,4 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {
       '${api_identity_outputs_id}': { }
     }
   }
-}
+}
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.KeyVaultReferenceHandling.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.KeyVaultReferenceHandling.verified.bicep
@@ -72,6 +72,10 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {
               name: 'AZURE_CLIENT_ID'
               value: api_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
@@ -86,4 +90,4 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {
       '${api_identity_outputs_id}': { }
     }
   }
-}
+}
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.ProjectWithManyReferenceTypes#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.ProjectWithManyReferenceTypes#00.verified.bicep
@@ -187,6 +187,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: api_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
@@ -202,4 +206,4 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {
       '${env_outputs_azure_container_registry_managed_identity_id}': { }
     }
   }
-}
+}
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.ProjectWithManyReferenceTypesAndContainerAppEnvironment#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.ProjectWithManyReferenceTypesAndContainerAppEnvironment#00.verified.bicep
@@ -187,6 +187,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: api_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
@@ -202,4 +206,4 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {
       '${cae_outputs_azure_container_registry_managed_identity_id}': { }
     }
   }
-}
+}
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.RoleAssignmentsWithAsExisting#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.RoleAssignmentsWithAsExisting#00.verified.bicep
@@ -56,6 +56,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: api_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.RoleAssignmentsWithAsExistingCosmosDB#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.RoleAssignmentsWithAsExistingCosmosDB#00.verified.bicep
@@ -62,6 +62,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: api_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.RoleAssignmentsWithAsExistingRedis#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.RoleAssignmentsWithAsExistingRedis#00.verified.bicep
@@ -62,6 +62,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: api_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureFunctionsTests.AddAzureFunctionsProject_WorksWithAddAzureContainerAppsInfrastructure#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureFunctionsTests.AddAzureFunctionsProject_WorksWithAddAzureContainerAppsInfrastructure#00.verified.bicep
@@ -107,6 +107,10 @@ resource funcapp 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: funcapp_identity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_AzureAppService_Works#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_AzureAppService_Works#00.verified.bicep
@@ -60,6 +60,10 @@ resource webapp 'Microsoft.Web/sites@2024-11-01' = {
           name: 'AZURE_CLIENT_ID'
           value: myidentity_outputs_clientid
         }
+        {
+          name: 'AZURE_TOKEN_CREDENTIALS'
+          value: 'ManagedIdentityCredential'
+        }
         {
           name: 'ASPIRE_ENVIRONMENT_NAME'
           value: 'appservice'
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_MultipleProjects_Works#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_MultipleProjects_Works#00.verified.bicep
@@ -56,6 +56,10 @@ resource myapp 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: myidentity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_MultipleProjects_Works#01.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_MultipleProjects_Works#01.verified.bicep
@@ -56,6 +56,10 @@ resource myapp2 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: myidentity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_Works#00.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_WithRoleAssignments_Works#00.verified.bicep
@@ -56,6 +56,10 @@ resource myapp 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: myidentity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]
@@ -71,4 +75,4 @@ resource myapp 'Microsoft.App/containerApps@2025-02-02-preview' = {
       '${cae_outputs_azure_container_registry_managed_identity_id}': { }
     }
   }
-}
+}
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_Works.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.WithAzureUserAssignedIdentity_Works.verified.bicep
@@ -56,6 +56,10 @@ resource myapp 'Microsoft.App/containerApps@2025-02-02-preview' = {
               name: 'AZURE_CLIENT_ID'
               value: myidentity_outputs_clientid
             }
+            {
+              name: 'AZURE_TOKEN_CREDENTIALS'
+              value: 'ManagedIdentityCredential'
+            }
           ]
         }
       ]

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,13 @@ protected void AddAzureClientId(IAppIdentityResource? appIdentityResource, Bicep`
`75`	`75`	`Name = "AZURE_CLIENT_ID",`
`76`	`76`	`Value = AllocateParameter(appIdentityResource.ClientId)`
`77`	`77`	`});`
	`78`	`+`
	`79`	`+ // DefaultAzureCredential should only use ManagedIdentityCredential when running in Azure`
	`80`	`+ env.Add(new ContainerAppEnvironmentVariable`
	`81`	`+ {`
	`82`	`+ Name = "AZURE_TOKEN_CREDENTIALS",`
	`83`	`+ Value = "ManagedIdentityCredential"`
	`84`	`+ });`
`78`	`85`	`}`
`79`	`86`	`}`
`80`	`87`
Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,10 @@ resource webapp 'Microsoft.Web/sites@2024-11-01' = {`
`93`	`93`	`name: 'AZURE_CLIENT_ID'`
`94`	`94`	`value: api_identity_outputs_clientid`
`95`	`95`	`}`
	`96`	`+ {`
	`97`	`+ name: 'AZURE_TOKEN_CREDENTIALS'`
	`98`	`+ value: 'ManagedIdentityCredential'`
	`99`	`+ }`
`96`	`100`	`{`
`97`	`101`	`name: 'ASPIRE_ENVIRONMENT_NAME'`
`98`	`102`	`value: 'env'`
`@@ -141,4 +145,4 @@ resource api_ra 'Microsoft.Authorization/roleAssignments@2022-04-01' = {`
`141`	`145`	`principalType: 'ServicePrincipal'`
`142`	`146`	`}`
`143`	`147`	`scope: webapp`
`144`		`-}`
	`148`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,10 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {`
`79`	`79`	`name: 'AZURE_CLIENT_ID'`
`80`	`80`	`value: api_identity_outputs_clientid`
`81`	`81`	`}`
	`82`	`+ {`
	`83`	`+ name: 'AZURE_TOKEN_CREDENTIALS'`
	`84`	`+ value: 'ManagedIdentityCredential'`
	`85`	`+ }`
`82`	`86`	`]`
`83`	`87`	`}`
`84`	`88`	`]`
`@@ -93,4 +97,4 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {`
`93`	`97`	`'${api_identity_outputs_id}': { }`
`94`	`98`	`}`
`95`	`99`	`}`
`96`		`-}`
	`100`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,10 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {`
`72`	`72`	`name: 'AZURE_CLIENT_ID'`
`73`	`73`	`value: api_identity_outputs_clientid`
`74`	`74`	`}`
	`75`	`+ {`
	`76`	`+ name: 'AZURE_TOKEN_CREDENTIALS'`
	`77`	`+ value: 'ManagedIdentityCredential'`
	`78`	`+ }`
`75`	`79`	`]`
`76`	`80`	`}`
`77`	`81`	`]`
`@@ -86,4 +90,4 @@ resource api 'Microsoft.App/containerApps@2025-01-01' = {`
`86`	`90`	`'${api_identity_outputs_id}': { }`
`87`	`91`	`}`
`88`	`92`	`}`
`89`		`-}`
	`93`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -187,6 +187,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {`
`187`	`187`	`name: 'AZURE_CLIENT_ID'`
`188`	`188`	`value: api_identity_outputs_clientid`
`189`	`189`	`}`
	`190`	`+ {`
	`191`	`+ name: 'AZURE_TOKEN_CREDENTIALS'`
	`192`	`+ value: 'ManagedIdentityCredential'`
	`193`	`+ }`
`190`	`194`	`]`
`191`	`195`	`}`
`192`	`196`	`]`
`@@ -202,4 +206,4 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {`
`202`	`206`	`'${env_outputs_azure_container_registry_managed_identity_id}': { }`
`203`	`207`	`}`
`204`	`208`	`}`
`205`		`-}`
	`209`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {`
`56`	`56`	`name: 'AZURE_CLIENT_ID'`
`57`	`57`	`value: api_identity_outputs_clientid`
`58`	`58`	`}`
	`59`	`+ {`
	`60`	`+ name: 'AZURE_TOKEN_CREDENTIALS'`
	`61`	`+ value: 'ManagedIdentityCredential'`
	`62`	`+ }`
`59`	`63`	`]`
`60`	`64`	`}`
`61`	`65`	`]`
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,10 @@ resource api 'Microsoft.App/containerApps@2025-02-02-preview' = {`
`62`	`62`	`name: 'AZURE_CLIENT_ID'`
`63`	`63`	`value: api_identity_outputs_clientid`
`64`	`64`	`}`
	`65`	`+ {`
	`66`	`+ name: 'AZURE_TOKEN_CREDENTIALS'`
	`67`	`+ value: 'ManagedIdentityCredential'`
	`68`	`+ }`
`65`	`69`	`]`
`66`	`70`	`}`
`67`	`71`	`]`