Add WorkloadIdentityCredential to the DefaultAzureCredential. (#4940)

* Add WorkloadIdentityCredential to the DefaultAzureCredential.

* Clang format and update the CL.

* Address PR feedback - update CL, and SVG

* Define the required AZURE_FEDERATED_TOKEN_FILE env variable in the test.

* Update DAC unit test to include WIC in the log messages.

sdk/identity/azure-identity/CHANGELOG.md

@@ -8,6 +8,8 @@
 
 ### Breaking Changes
 
+- Add `WorkloadIdentityCredential` to the `DefaultAzureCredential`.
+
 ### Bugs Fixed
 
 - [[#4084]](https://github.com/Azure/azure-sdk-for-cpp/issues/4084) Remove OpenSSL dependency on Windows. (A community contribution, courtesy of _[teo-tsirpanis](https://github.com/teo-tsirpanis)_)

sdk/identity/azure-identity/README.md

@@ -57,6 +57,7 @@ The `DefaultAzureCredential` attempts to authenticate via the following mechanis
 ![DefaultAzureCredential authentication flow][default_azure_credential_auth_flow]
 
 1. **Environment** - The `DefaultAzureCredential` will read account information specified via [environment variables](#environment-variables) and use it to authenticate.
+1. **Workload Identity Credential** - If the developer authenticates using a Kubernetes service account token.
 1. **Azure CLI** - If the developer has authenticated an account via the Azure CLI `az login` command, the `DefaultAzureCredential` will authenticate with that account.
 1. **Managed Identity** - If the application is deployed to an Azure host with Managed Identity enabled, the `DefaultAzureCredential` will authenticate with that account.
 

sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.md

@@ -6,7 +6,7 @@
 %% 2. Run command: mmdc -i DefaultAzureCredentialAuthFlow.md -o DefaultAzureCredentialAuthFlow.svg
 
 flowchart LR;
-    A(Environment):::deployed ==> B(Azure CLI):::developer ==> C(Managed Identity):::deployed;
+    A(Environment):::deployed ==> B(Workload Identity):::deployed ==> C(Azure CLI):::developer ==> D(Managed Identity):::deployed;
 
     subgraph CREDENTIAL TYPES;
         direction LR;

sdk/identity/azure-identity/inc/azure/identity/default_azure_credential.hpp

@@ -25,10 +25,10 @@ namespace Azure { namespace Identity {
    * as well.
    *
    * @details This credential is using several credentials in the following order:
-   * #Azure::Identity::EnvironmentCredential, #Azure::Identity::AzureCliCredential, and
-   * #Azure::Identity::ManagedIdentityCredential. Even though the credentials being used and their
-   * order is documented, it may be changed in the future versions of the SDK, potentially bringing
-   * breaking changes in its behavior.
+   * #Azure::Identity::EnvironmentCredential, #Azure::Identity::WorkloadIdentityCredential,
+   * #Azure::Identity::AzureCliCredential, and #Azure::Identity::ManagedIdentityCredential. Even
+   * though the credentials being used and their order is documented, it may be changed in the
+   * future versions of the SDK, potentially introducing breaking changes in its behavior.
    *
    * @note This credential is intended to be used at the early stages of development, to allow the
    * developer some time to work with the other aspects of the SDK, and later to replace this

sdk/identity/azure-identity/src/default_azure_credential.cpp

@@ -6,6 +6,7 @@
 #include "azure/identity/azure_cli_credential.hpp"
 #include "azure/identity/environment_credential.hpp"
 #include "azure/identity/managed_identity_credential.hpp"
+#include "azure/identity/workload_identity_credential.hpp"
 #include "private/chained_token_credential_impl.hpp"
 #include "private/identity_log.hpp"
 
@@ -38,12 +39,13 @@ DefaultAzureCredential::DefaultAzureCredential(
 
   // Creating credentials in order to ensure the order of log messages.
   auto const envCred = std::make_shared<EnvironmentCredential>(options);
+  auto const wiCred = std::make_shared<WorkloadIdentityCredential>(options);
   auto const azCliCred = std::make_shared<AzureCliCredential>(options);
   auto const managedIdentityCred = std::make_shared<ManagedIdentityCredential>(options);
 
   m_impl = std::make_unique<_detail::ChainedTokenCredentialImpl>(
       GetCredentialName(),
-      ChainedTokenCredential::Sources{envCred, azCliCred, managedIdentityCred});
+      ChainedTokenCredential::Sources{envCred, wiCred, azCliCred, managedIdentityCred});
 }
 
 DefaultAzureCredential::~DefaultAzureCredential() = default;

sdk/identity/azure-identity/test/ut/default_azure_credential_test.cpp

@@ -24,6 +24,7 @@ TEST(DefaultAzureCredential, GetCredentialName)
       {"AZURE_CLIENT_ID", "fedcba98-7654-3210-0123-456789abcdef"},
       {"AZURE_CLIENT_SECRET", "CLIENTSECRET"},
       {"AZURE_AUTHORITY_HOST", ""},
+      {"AZURE_FEDERATED_TOKEN_FILE", "azure-identity-test.pem"},
       {"AZURE_USERNAME", ""},
       {"AZURE_PASSWORD", ""},
       {"AZURE_CLIENT_CERTIFICATE_PATH", ""},
@@ -56,6 +57,7 @@ TEST(DefaultAzureCredential, LogMessages)
             {"AZURE_CLIENT_ID", "fedcba98-7654-3210-0123-456789abcdef"},
             {"AZURE_CLIENT_SECRET", "CLIENTSECRET"},
             {"AZURE_AUTHORITY_HOST", "https://microsoft.com/"},
+            {"AZURE_FEDERATED_TOKEN_FILE", "azure-identity-test.pem"},
             {"AZURE_USERNAME", ""},
             {"AZURE_PASSWORD", ""},
             {"AZURE_CLIENT_CERTIFICATE_PATH", ""},
@@ -136,7 +138,8 @@ TEST(DefaultAzureCredential, LogMessages)
         EXPECT_EQ(
             log[9].second,
             "Identity: DefaultAzureCredential: Created with the following credentials: "
-            "EnvironmentCredential, AzureCliCredential, ManagedIdentityCredential.");
+            "EnvironmentCredential, WorkloadIdentityCredential, AzureCliCredential, "
+            "ManagedIdentityCredential.");
 
         log.clear();