Skip to content

Updated the service principal code to leverage DefaultCredentials for Workload Identity Support.

Daniel Scholl requested to merge defaultcredentials into master

All Submissions:


  • [YES/NO] I have added an explanation of what changes in this merge do and why we should include it?
  • [YES/NO] I have updated the documentation accordingly.
  • [YES/NO/NA] I have added tests to cover my changes.
  • [YES/NO/NA] All new and existing tests passed.
  • [YES/NO/NA] My code follows the code style of this project.
  • [YES/NO/NA] I ran lint checks locally prior to submission.

What is the issue or story related to the change?


The current code is implemented in a way that supports AAD Pod Identity with a fallback to Service Principal.

The preferred approach is to use the DefaultAzureCredential instead with supports chained credential checks. 

 * DefaultAzureCredential tries the following authentication methods in order:
 * 1. Environment Credentials (service principal credentials in environment variables)
 * 2. Workload Identity Credentials (when running in AKS with Workload Identity)
 * 3. Managed Identity Credentials (including Pod Identity)
 * 4. Azure CLI Credentials (for local development)
 * 5. Visual Studio Code Credentials (for local development)
 * 6. Azure PowerShell Credentials (for local development)
 * 7. Interactive Browser Credentials (for local development)

High level design:

Issue:

Current code doesn't support Workload Identity

Change details:

Test coverage:


Does this introduce a breaking change?


  • [YES/NO]

Pending items


Reviewer request


  • Please provide an ETA when you plan to review this MR. Write a comment to decline or provide an ETA.
  • Block the MR if you feel there is less testing or no details in the MR
  • Please cover the following aspects in the MR -- Coding design: <Reviewer1> -- Backward Compatibility: <Reviewer2> -- Feature Logic: <Logic design> -- <Any other context mention here> OR -- <Component 1>: <Reviewer1> -- <CosmosDB>: <Reviewer2> -- <ServiceBus> <Reviewer3> -- <Mention any other component and owner>

Other information


Merge request reports

Loading