Skip to content

[FEATURE REQ] Support object ID for ManagedIdentityCredential in AzureComponentFactory #45661

New issue
New issue
Open
Open
[FEATURE REQ] Support object ID for ManagedIdentityCredential in AzureComponentFactory#45661

Description

@scottaddie

scottaddie
openedon Aug 23, 2024

Library name

Microsoft.Extensions.Azure

Please describe the feature.

The Azure Identity library's ManagedIdentityCredential is being enhanced to support object ID for user-assigned managed identity. See #45605. Object ID is an alternative to using client ID or resource ID. With regards to ManagedIdentityCredential, we should have feature parity between Azure.Identity and Microsoft.Extensions.Azure. It would involve updating this code:

azure-sdk-for-net/sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs

Lines 115 to 128 in 91dc3f1

if (string.Equals(credentialType, "managedidentity", StringComparison.OrdinalIgnoreCase))
{
if (!string.IsNullOrWhiteSpace(clientId) && !string.IsNullOrWhiteSpace(resourceId))
{
throw new ArgumentException("Cannot specify both 'clientId' and 'managedIdentityResourceId'");
}
if (!string.IsNullOrWhiteSpace(resourceId))
{
return new ManagedIdentityCredential(new ResourceIdentifier(resourceId));
}
return new ManagedIdentityCredential(clientId);
}

From a customer's perspective, they should be able to provide configuration like the following:

{
    "credential": "managedidentity",
    "managedIdentityObjectId":  "<managedIdentityObjectId>"
}

Since we don't support object ID via DefaultAzureCredential, the following code flow is unaffected:

azure-sdk-for-net/sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs

Lines 218 to 249 in 91dc3f1

if (additionallyAllowedTenantsList != null
|| !string.IsNullOrWhiteSpace(tenantId)
|| !string.IsNullOrWhiteSpace(clientId)
|| !string.IsNullOrWhiteSpace(resourceId))
{
var options = new DefaultAzureCredentialOptions();
if (additionallyAllowedTenantsList != null)
{
foreach (string tenant in additionallyAllowedTenantsList)
{
options.AdditionallyAllowedTenants.Add(tenant);
}
}
if (!string.IsNullOrWhiteSpace(tenantId))
{
options.TenantId = tenantId;
}
if (!string.IsNullOrWhiteSpace(clientId))
{
options.ManagedIdentityClientId = clientId;
}
// validation that both clientId and ResourceId are not set happens in Azure.Identity
if (!string.IsNullOrWhiteSpace(resourceId))
{
options.ManagedIdentityResourceId = new ResourceIdentifier(resourceId);
}
return new DefaultAzureCredential(options);
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.ExtensionsASP.NET Core extensionsfeature-requestThis issue requires a new behavior in the product in order be resolved.

Type

No type

Projects

Azure Identity SDK Improvements

  • Status

    Not Started

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions