diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md index b7c5ac838..6b0d8f175 100644 --- a/sdk/identity/azure-identity/CHANGELOG.md +++ b/sdk/identity/azure-identity/CHANGELOG.md @@ -4,12 +4,12 @@ ### Features Added -- Added `UseProbeRequest` option for `ManagedIdentityCredential`. -- By default, `ManagedIdentityCredential` does not send a probe request, unless it is a part of credential chain in `DefaultAzureCredential`. - When `AZURE_TOKEN_CREDENTIALS` environment variable is configured to `ManagedIdentityCredential`, the `DefaultAzureCredential` does not issue a probe request and performs retries with exponential backoff. ### Breaking Changes +- By default, `ManagedIdentityCredential` does not send a probe request, unless it is a part of credential chain in `DefaultAzureCredential`. + ### Bugs Fixed ### Other Changes diff --git a/sdk/identity/azure-identity/inc/azure/identity/managed_identity_credential.hpp b/sdk/identity/azure-identity/inc/azure/identity/managed_identity_credential.hpp index 7488a5b1f..b1b2056dd 100644 --- a/sdk/identity/azure-identity/inc/azure/identity/managed_identity_credential.hpp +++ b/sdk/identity/azure-identity/inc/azure/identity/managed_identity_credential.hpp @@ -168,18 +168,6 @@ namespace Azure { namespace Identity { * it was configured. */ ManagedIdentityId IdentityId; - - /** - * @brief If Azure Instance Metadata Service (IMDS) gets selected as managed identity source, - * specifies whether the first request should be a short probe request (`true`), instead of a - * normal request with retries and exponential backoff (`false`). Default is `false`. - * - * @note When `true`, there's a potential that the credential would not detect IMDS being - * available on a machine, if the response was not received fast enough. When `false` and IMDS - * is not available, credential creation may take tens of seconds until multiple attempts to get - * a response from IMDS would fail. - */ - bool UseProbeRequest = false; }; /** @@ -190,6 +178,8 @@ namespace Azure { namespace Identity { * https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview */ class ManagedIdentityCredential final : public Core::Credentials::TokenCredential { + friend class DefaultAzureCredential; + private: std::unique_ptr<_detail::ManagedIdentitySource> m_managedIdentitySource; @@ -212,9 +202,8 @@ namespace Azure { namespace Identity { * @param options Options for token retrieval. */ explicit ManagedIdentityCredential( - std::string const& clientId = std::string(), - Core::Credentials::TokenCredentialOptions const& options - = Core::Credentials::TokenCredentialOptions()); + std::string const& clientId = {}, + Core::Credentials::TokenCredentialOptions const& options = {}); /** * @brief Constructs a Managed Identity Credential. diff --git a/sdk/identity/azure-identity/src/default_azure_credential.cpp b/sdk/identity/azure-identity/src/default_azure_credential.cpp index 5f3faa2b5..c486ca6ff 100644 --- a/sdk/identity/azure-identity/src/default_azure_credential.cpp +++ b/sdk/identity/azure-identity/src/default_azure_credential.cpp @@ -92,16 +92,9 @@ DefaultAzureCredential::DefaultAzureCredential( CredentialInfo{ true, "ManagedIdentityCredential", - [&](auto options) { - // If specifically 'ManagedIdentityCredential' is used, do not perform a probe - // request, going for the full retry with exponential backoffs instead. - ManagedIdentityCredentialOptions managedIdentityCredentialOptions; - static_cast( - managedIdentityCredentialOptions) - = options; - - managedIdentityCredentialOptions.UseProbeRequest = !specificCred; - return std::make_shared(managedIdentityCredentialOptions); + [&specificCred](auto options) { + return std::shared_ptr( + new ManagedIdentityCredential({}, !specificCred, options)); }}, CredentialInfo{ false, diff --git a/sdk/identity/azure-identity/src/managed_identity_credential.cpp b/sdk/identity/azure-identity/src/managed_identity_credential.cpp index c61bc5eff..796f3873e 100644 --- a/sdk/identity/azure-identity/src/managed_identity_credential.cpp +++ b/sdk/identity/azure-identity/src/managed_identity_credential.cpp @@ -75,35 +75,20 @@ ManagedIdentityCredential::ManagedIdentityCredential( switch (idType) { case ManagedIdentityIdKind::SystemAssigned: - m_managedIdentitySource = CreateManagedIdentitySource( - GetCredentialName(), {}, {}, {}, options.UseProbeRequest, options); + m_managedIdentitySource + = CreateManagedIdentitySource(GetCredentialName(), {}, {}, {}, false, options); break; case ManagedIdentityIdKind::ClientId: m_managedIdentitySource = CreateManagedIdentitySource( - GetCredentialName(), - options.IdentityId.GetId(), - {}, - {}, - options.UseProbeRequest, - options); + GetCredentialName(), options.IdentityId.GetId(), {}, {}, false, options); break; case ManagedIdentityIdKind::ObjectId: m_managedIdentitySource = CreateManagedIdentitySource( - GetCredentialName(), - {}, - options.IdentityId.GetId(), - {}, - options.UseProbeRequest, - options); + GetCredentialName(), {}, options.IdentityId.GetId(), {}, false, options); break; case ManagedIdentityIdKind::ResourceId: m_managedIdentitySource = CreateManagedIdentitySource( - GetCredentialName(), - {}, - {}, - options.IdentityId.GetId(), - options.UseProbeRequest, - options); + GetCredentialName(), {}, {}, options.IdentityId.GetId(), false, options); break; default: throw std::invalid_argument( diff --git a/sdk/identity/azure-identity/test/ut/managed_identity_credential_test.cpp b/sdk/identity/azure-identity/test/ut/managed_identity_credential_test.cpp index ada389fa5..7e12fd183 100644 --- a/sdk/identity/azure-identity/test/ut/managed_identity_credential_test.cpp +++ b/sdk/identity/azure-identity/test/ut/managed_identity_credential_test.cpp @@ -3196,40 +3196,6 @@ namespace Azure { namespace Identity { namespace Test { TEST(ManagedIdentityCredential, ImdsProbe) { constexpr auto ImATeapot = static_cast(418); - - EXPECT_THROW( - static_cast(CredentialTestHelper::SimulateTokenRequest( - [&ImATeapot](auto transport) { - ManagedIdentityCredentialOptions options; - options.Transport.Transport = transport; - - options.Retry.MaxRetries = 3; - options.Retry.RetryDelay = std::chrono::milliseconds(1); - options.Retry.StatusCodes.insert(ImATeapot); - - CredentialTestHelper::EnvironmentOverride const env({ - {"MSI_ENDPOINT", ""}, - {"MSI_SECRET", ""}, - {"IDENTITY_ENDPOINT", "https://visualstudio.com/"}, - {"IMDS_ENDPOINT", ""}, - {"IDENTITY_HEADER", ""}, - {"IDENTITY_SERVER_THUMBPRINT", ""}, - {"AZURE_POD_IDENTITY_AUTHORITY_HOST", ""}, - }); - - options.UseProbeRequest = true; - return std::make_unique(options); - }, - {{"https://azure.com/.default"}}, - {{ImATeapot, "{\"expires_in\":3600, \"access_token\":\"ACCESSTOKEN1\"}", {}}, - // Given there aren't going to be any retries due to probe request, the credential - // should never get to make a second request to receive the successful response below. - {HttpStatusCode::Ok, - "{\"expires_in\":3600, \"access_token\":\"ACCESSTOKEN2\"}", - {}}})), - Azure::Core::Credentials::AuthenticationException); - - // Everything is the same, including the retry policy, but this time useProbeRequest = false. auto const whenProbeDisabled = CredentialTestHelper::SimulateTokenRequest( [&ImATeapot](auto transport) { TokenCredentialOptions options; @@ -3249,8 +3215,7 @@ namespace Azure { namespace Identity { namespace Test { {"AZURE_POD_IDENTITY_AUTHORITY_HOST", ""}, }); - return std::make_unique( - options); // <-- useProbeRequest = false (default) + return std::make_unique(options); }, {{"https://azure.com/.default"}}, {{ImATeapot, "{\"expires_in\":3600, \"access_token\":\"ACCESSTOKEN1\"}", {}},