[Identity] Add support for Bridge to Kubernetes to ManagedIdentityCre…

…dential (#15856)

* [Identity] Add support for Bridge to Kubernetes to ManagedIdentityCredential

* one very simple test

* forgot this line

sdk/identity/identity/CHANGELOG.md

@@ -37,6 +37,7 @@
 - `AuthenticationRequiredError` (introduced in 2.0.0-beta.1) now has the same impact on `ChainedTokenCredential` as the `CredentialUnavailableError` which is to allow the next credential in the chain to be tried.
 - `ManagedIdentityCredential` now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints.
 - Added an `AzurePowerShellCredential` which will use the authenticated user session from the `Az.Account` PowerShell module. This credential will attempt to use PowerShell Core by calling `pwsh`, and on Windows it will fall back to Windows PowerShell (`powershell`) if PowerShell Core is not available.
+- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication.
 
 ### Breaking changes from 2.0.0-beta.1
 

sdk/identity/identity/src/credentials/managedIdentityCredential/imdsMsi.ts

@@ -44,7 +44,7 @@ function prepareRequestOptions(resource?: string, clientId?: string): RequestPre
   }
 
   return {
-    url: imdsEndpoint,
+    url: process.env.AZURE_POD_IDENTITY_TOKEN_URL ?? imdsEndpoint,
     method: "GET",
     queryParameters,
     headers: {
@@ -73,6 +73,11 @@ export const imdsMsi: MSI = {
       getTokenOptions
     );
 
+    // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+    if (process.env.AZURE_POD_IDENTITY_TOKEN_URL) {
+      return true;
+    }
+
     const request = prepareRequestOptions(resource, clientId);
 
     // This will always be populated, but let's make TypeScript happy

sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts

@@ -15,7 +15,10 @@ import {
 import { MockAuthHttpClient, MockAuthHttpClientOptions, assertRejects } from "../../authTestUtils";
 import { OAuthErrorResponse } from "../../../src/client/errors";
 import Sinon from "sinon";
-import { imdsMsiRetryConfig } from "../../../src/credentials/managedIdentityCredential/imdsMsi";
+import {
+  imdsMsi,
+  imdsMsiRetryConfig
+} from "../../../src/credentials/managedIdentityCredential/imdsMsi";
 import { mkdtempSync, rmdirSync, unlinkSync, writeFileSync } from "fs";
 import { join } from "path";
 import { tmpdir } from "os";
@@ -37,6 +40,7 @@ describe("ManagedIdentityCredential", function() {
     delete process.env.MSI_SECRET;
     delete process.env.IDENTITY_SERVER_THUMBPRINT;
     delete process.env.IMDS_ENDPOINT;
+    delete process.env.AZURE_POD_IDENTITY_TOKEN_URL;
     sandbox = Sinon.createSandbox();
   });
   afterEach(() => {
@@ -47,6 +51,7 @@ describe("ManagedIdentityCredential", function() {
     process.env.MSI_SECRET = env.MSI_SECRET;
     process.env.IDENTITY_SERVER_THUMBPRINT = env.IDENTITY_SERVER_THUMBPRINT;
     process.env.IMDS_ENDPOINT = env.IMDS_ENDPOINT;
+    process.env.AZURE_POD_IDENTITY_TOKEN_URL = env.AZURE_POD_IDENTITY_TOKEN_URL;
     sandbox.restore();
   });
 
@@ -244,6 +249,12 @@ describe("ManagedIdentityCredential", function() {
     clock.restore();
   });
 
+  it("IMDS MSI skips verification if the AZURE_POD_IDENTITY_TOKEN_URL environment variable is available", async function() {
+    process.env.AZURE_POD_IDENTITY_TOKEN_URL = "token URL";
+
+    assert.ok(await imdsMsi.isAvailable());
+  });
+
   // Unavailable exception throws while IMDS endpoint is unavailable. This test not valid.
   // it("can extend timeout for IMDS endpoint", async function() {
   //   // Mock a timeout so that the endpoint ping fails