Support Azure Managed Identity authentication for Azure Storage model repositories

[nightflight-dk]

Issue triton-inference-server/server#8614

Summary

Adds first-class support for Azure Managed Identity (MI) and DefaultAzureCredential as authentication methods when accessing Azure Blob Storage-backed model repositories. This eliminates the requirement to distribute shared storage account keys in enterprise environments.

Motivation

Today, Triton only supports shared key (AZURE_STORAGE_KEY) authentication for Azure Storage. In many enterprise environments, long-lived secrets are disallowed or require burdensome rotation workflows. Azure Managed Identity is the standard approach for eliminating credential sprawl on Azure infrastructure (AKS, VM/VMSS, App Service).

Changes

Build system:

• Added azure-identity-cpp as a new dependency alongside existing azure-storage-blobs-cpp
• Updated find_package, target_include_directories, and target_link_libraries in src/CMakeLists.txt
• Added azure-identity-cpp_DIR package path in top-level CMakeLists.txt

ASCredential (as.h):

• New fields: auth_type_ ("key", "managed_identity", or "default") and client_id_ (for user-assigned MI)
• Environment variable constructor reads AZURE_STORAGE_AUTH_TYPE and AZURE_STORAGE_CLIENT_ID
• JSON credential file constructor reads auth_type and client_id fields

ASFileSystem constructor (as.h):

• New auth branch: "managed_identity" → Azure::Identity::ManagedIdentityCredential (system- or user-assigned via client_id)
• New auth branch: "default" → Azure::Identity::DefaultAzureCredential chain
• Existing shared key and anonymous paths preserved unchanged
• Diagnostic LOG_VERBOSE messages for operator visibility

Configuration

Environment Variable	Purpose
AZURE_STORAGE_AUTH_TYPE	"key" (default), "managed_identity", or "default"
AZURE_STORAGE_CLIENT_ID	Client ID for user-assigned Managed Identity (optional)

Credential file (TRITON_CLOUD_CREDENTIAL_PATH) also supports auth_type and client_id fields.

Backwards Compatibility

Fully backwards-compatible. When AZURE_STORAGE_AUTH_TYPE is unset and AZURE_STORAGE_KEY is present, behavior is identical to the current release. No changes to existing CLI flags or default behavior.

Prerequisites for Managed Identity

• The Triton host must have a Managed Identity assigned
• The identity must have Storage Blob Data Reader (or broader) on the target storage account/container
• The azure-identity-cpp library must be built and installed in the third-party dependencies (requires corresponding update to triton-inference-server/third_party)

Files Changed

• CMakeLists.txt — package path for azure-identity-cpp
• src/CMakeLists.txt — find_package, include dirs, link target
• src/filesystem/implementations/as.h — credential struct and filesystem constructor

[whoisj]

LGTM

[whoisj]

Fixup for pre-commit complaints.

[yinggeh]

LGTM in general. Please fix pre-commit error and address the comments.

[whoisj]

there does not appear to be a .ClientId field on Azure::Identity::ManagedIdentityCredentialOptions.

https://learn.microsoft.com/en-us/cpp/api/azure-identity/struct_azure_1_1_identity_1_1_managed_identity_credential_options?view=azure-cpp

[whoisj]

@nightflight-dk this PR fails to build as-is. Please see my review comment for an explanation. Thank you.