Library name
Microsoft.Extensions.Azure
Please describe the feature.
The Azure Identity library's ManagedIdentityCredential
is being enhanced to support object ID for user-assigned managed identity. See #45605. Object ID is an alternative to using client ID or resource ID. With regards to ManagedIdentityCredential
, we should have feature parity between Azure.Identity and Microsoft.Extensions.Azure. It would involve updating this code:
|
if (string.Equals(credentialType, "managedidentity", StringComparison.OrdinalIgnoreCase)) |
|
{ |
|
if (!string.IsNullOrWhiteSpace(clientId) && !string.IsNullOrWhiteSpace(resourceId)) |
|
{ |
|
throw new ArgumentException("Cannot specify both 'clientId' and 'managedIdentityResourceId'"); |
|
} |
|
|
|
if (!string.IsNullOrWhiteSpace(resourceId)) |
|
{ |
|
return new ManagedIdentityCredential(new ResourceIdentifier(resourceId)); |
|
} |
|
|
|
return new ManagedIdentityCredential(clientId); |
|
} |
From a customer's perspective, they should be able to provide configuration like the following:
{
"credential": "managedidentity",
"managedIdentityObjectId": "<managedIdentityObjectId>"
}
Since we don't support object ID via DefaultAzureCredential
, the following code flow is unaffected:
|
if (additionallyAllowedTenantsList != null |
|
|| !string.IsNullOrWhiteSpace(tenantId) |
|
|| !string.IsNullOrWhiteSpace(clientId) |
|
|| !string.IsNullOrWhiteSpace(resourceId)) |
|
{ |
|
var options = new DefaultAzureCredentialOptions(); |
|
if (additionallyAllowedTenantsList != null) |
|
{ |
|
foreach (string tenant in additionallyAllowedTenantsList) |
|
{ |
|
options.AdditionallyAllowedTenants.Add(tenant); |
|
} |
|
} |
|
|
|
if (!string.IsNullOrWhiteSpace(tenantId)) |
|
{ |
|
options.TenantId = tenantId; |
|
} |
|
|
|
if (!string.IsNullOrWhiteSpace(clientId)) |
|
{ |
|
options.ManagedIdentityClientId = clientId; |
|
} |
|
|
|
// validation that both clientId and ResourceId are not set happens in Azure.Identity |
|
if (!string.IsNullOrWhiteSpace(resourceId)) |
|
{ |
|
options.ManagedIdentityResourceId = new ResourceIdentifier(resourceId); |
|
} |
|
|
|
return new DefaultAzureCredential(options); |
|
} |