Revert order of credentials used within the DefaultAzureCredential (#5156)

back to what it was at previous GA.
2023-11-10 20:15:31 -08:00 · 2023-11-10 20:15:31 -08:00 · 3b3795f3df
commit 3b3795f3df
parent d2419de28d
6 changed files with 21 additions and 21 deletions
--- a/sdk/identity/azure-identity/README.md
+++ b/sdk/identity/azure-identity/README.md
@ -58,8 +58,8 @@ The `DefaultAzureCredential` attempts to authenticate via the following mechanis

 1. **Environment** - The `DefaultAzureCredential` will read account information specified via [environment variables](#environment-variables) and use it to authenticate.
 1. **Workload Identity Credential** - If the developer authenticates using a Kubernetes service account token.
-1. **Managed Identity** - If the application is deployed to an Azure host with Managed Identity enabled, the `DefaultAzureCredential` will authenticate with that account.
 1. **Azure CLI** - If the developer has authenticated an account via the Azure CLI `az login` command, the `DefaultAzureCredential` will authenticate with that account.
+1. **Managed Identity** - If the application is deployed to an Azure host with Managed Identity enabled, the `DefaultAzureCredential` will authenticate with that account.

 Even though the credentials being used and their order is documented, it may change from release to release.

--- a/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.md
+++ b/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.md
@ -6,7 +6,7 @@
 %% 2. Run command: mmdc -i DefaultAzureCredentialAuthFlow.md -o DefaultAzureCredentialAuthFlow.svg

 flowchart LR;
-    A(Environment):::deployed ==> B(Workload Identity):::deployed ==> C(Managed Identity):::deployed ==> D(Azure CLI):::developer;
+    A(Environment):::deployed ==> B(Workload Identity):::deployed ==> C(Azure CLI):::developer ==> D(Managed Identity):::deployed;

    subgraph CREDENTIAL TYPES;
        direction LR;
--- a/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.svg
+++ b/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.svg
--- a/sdk/identity/azure-identity/inc/azure/identity/default_azure_credential.hpp
+++ b/sdk/identity/azure-identity/inc/azure/identity/default_azure_credential.hpp
@ -30,7 +30,7 @@ namespace Azure { namespace Identity {
   *
   * @details This credential is using several credentials in the following order:
   * #Azure::Identity::EnvironmentCredential, #Azure::Identity::WorkloadIdentityCredential,
-   * #Azure::Identity::ManagedIdentityCredential, and #Azure::Identity::AzureCliCredential. Even
+   * #Azure::Identity::AzureCliCredential, and #Azure::Identity::ManagedIdentityCredential. Even
   * though the credentials being used and their order is documented, it may be changed in the
   * future versions of the SDK, potentially introducing breaking changes in its behavior.
   *
--- a/sdk/identity/azure-identity/src/default_azure_credential.cpp
+++ b/sdk/identity/azure-identity/src/default_azure_credential.cpp
@ -40,14 +40,14 @@ DefaultAzureCredential::DefaultAzureCredential(
  // Creating credentials in order to ensure the order of log messages.
  auto const envCred = std::make_shared<EnvironmentCredential>(options);
  auto const wiCred = std::make_shared<WorkloadIdentityCredential>(options);
-  auto const managedIdentityCred = std::make_shared<ManagedIdentityCredential>(options);
  auto const azCliCred = std::make_shared<AzureCliCredential>(options);
+  auto const managedIdentityCred = std::make_shared<ManagedIdentityCredential>(options);

  // DefaultAzureCredential caches the selected credential, so that it can be reused on subsequent
  // calls.
  m_impl = std::make_unique<_detail::ChainedTokenCredentialImpl>(
      GetCredentialName(),
-      ChainedTokenCredential::Sources{envCred, wiCred, managedIdentityCred, azCliCred},
+      ChainedTokenCredential::Sources{envCred, wiCred, azCliCred, managedIdentityCred},
      true);
 }

--- a/sdk/identity/azure-identity/test/ut/default_azure_credential_test.cpp
+++ b/sdk/identity/azure-identity/test/ut/default_azure_credential_test.cpp
@ -198,40 +198,40 @@ TEST(DefaultAzureCredential, LogMessages)
        EXPECT_EQ(log[3].first, Logger::Level::Informational);
        EXPECT_EQ(log[3].second, "Identity: WorkloadIdentityCredential was created successfully.");

-        EXPECT_EQ(log[4].first, Logger::Level::Verbose);
-        EXPECT_EQ(
-            log[4].second,
-            "Identity: ManagedIdentityCredential: Environment is not set up for the credential "
-            "to be created with App Service 2019 source.");
-
        EXPECT_EQ(log[5].first, Logger::Level::Verbose);
        EXPECT_EQ(
            log[5].second,
            "Identity: ManagedIdentityCredential: Environment is not set up for the credential "
-            "to be created with App Service 2017 source.");
+            "to be created with App Service 2019 source.");

        EXPECT_EQ(log[6].first, Logger::Level::Verbose);
        EXPECT_EQ(
            log[6].second,
            "Identity: ManagedIdentityCredential: Environment is not set up for the credential "
-            "to be created with Cloud Shell source.");
+            "to be created with App Service 2017 source.");

        EXPECT_EQ(log[7].first, Logger::Level::Verbose);
        EXPECT_EQ(
            log[7].second,
            "Identity: ManagedIdentityCredential: Environment is not set up for the credential "
-            "to be created with Azure Arc source.");
+            "to be created with Cloud Shell source.");

-        EXPECT_EQ(log[8].first, Logger::Level::Informational);
+        EXPECT_EQ(log[8].first, Logger::Level::Verbose);
        EXPECT_EQ(
            log[8].second,
-            "Identity: ManagedIdentityCredential will be created "
-            "with Azure Instance Metadata Service source."
-            "\nSuccessful creation does not guarantee further successful token retrieval.");
+            "Identity: ManagedIdentityCredential: Environment is not set up for the credential "
+            "to be created with Azure Arc source.");

        EXPECT_EQ(log[9].first, Logger::Level::Informational);
        EXPECT_EQ(
            log[9].second,
+            "Identity: ManagedIdentityCredential will be created "
+            "with Azure Instance Metadata Service source."
+            "\nSuccessful creation does not guarantee further successful token retrieval.");
+
+        EXPECT_EQ(log[4].first, Logger::Level::Informational);
+        EXPECT_EQ(
+            log[4].second,
            "Identity: AzureCliCredential created."
            "\nSuccessful creation does not guarantee further successful token retrieval.");

@ -239,8 +239,8 @@ TEST(DefaultAzureCredential, LogMessages)
        EXPECT_EQ(
            log[10].second,
            "Identity: DefaultAzureCredential: Created with the following credentials: "
-            "EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, "
-            "AzureCliCredential.");
+            "EnvironmentCredential, WorkloadIdentityCredential, AzureCliCredential, "
+            "ManagedIdentityCredential.");

        log.clear();