Update AAD token request target resource uri for ACR access (#4654)

* update target resource uri * resolve build errors * update comment * re-add ArmResourceManagerId * add obsolete attribute * make uri non-configurable * remove local var * move uri to config * set as default ARM uri to avoid breaking OSS scenarios
microsoft · Oct 2, 2024 · 37a7b85 · 37a7b85
1 parent a745775
commit 37a7b85
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/...icrosoft.Health.Fhir.Azure/ContainerRegistry/AzureContainerRegistryAccessTokenProvider.cs b/...icrosoft.Health.Fhir.Azure/ContainerRegistry/AzureContainerRegistryAccessTokenProvider.cs
@@ -59,7 +59,7 @@ public async Task<string> GetTokenAsync(string registryServer, CancellationToken
         {
             EnsureArg.IsNotNullOrEmpty(registryServer, nameof(registryServer));
 
-            var aadResourceUri = new Uri(_convertDataConfiguration.ArmResourceManagerId);
+            var aadResourceUri = _convertDataConfiguration.AcrTargetResourceUri;
             string aadToken;
             try
             {

diff --git a/src/Microsoft.Health.Fhir.Core/Configs/ConvertDataConfiguration.cs b/src/Microsoft.Health.Fhir.Core/Configs/ConvertDataConfiguration.cs
@@ -22,10 +22,19 @@ public class ConvertDataConfiguration
         public ICollection<string> ContainerRegistryServers { get; } = new List<string>();
 
         /// <summary>
-        /// ArmResourceManagerId to aquire AAD token for ACR access token since ACR is not an AAD resource.
+        /// AcrTargetResourceUri to acquire AAD token for ACR access token since ACR is not an AAD resource.
+        /// The value is "https://management.azure.com/" for AzureCloud and DogFood. Could be changed to "https://management.usgovcloudapi.net/" for Azure Government and "https://management.chinacloudapi.cn/ " for Azure China.
+        /// To enable Trusted Services scenarios, we must use the ACR-specific URI rather than the more generic ARM URI. https://dev.azure.com/msazure/AzureContainerRegistry/_wiki/wikis/ACR%20Specs/480000/TrustedServicesPatterns
+        /// The value is "https://containerregistry.azure.net/" for all cloud environments.
+        /// </summary>
+        public Uri AcrTargetResourceUri { get; set; } = new Uri("https://management.azure.com/");
+
+        /// <summary>
+        /// ArmResourceManagerId to acquire AAD token for ACR access token since ACR is not an AAD resource.
         /// The value is "https://management.azure.com/" for AzureCloud and DogFood.
         /// Could be changed to "https://management.usgovcloudapi.net/" for Azure Government and "https://management.chinacloudapi.cn/ " for Azure China.
         /// </summary>
+        [Obsolete("Use AcrTargetResourceUri instead.")]
         public string ArmResourceManagerId { get; set; } = "https://management.azure.com/";
 
         /// <summary>