From e0bda0b406484be516ed8e0c3baa9f3e0c390fc7 Mon Sep 17 00:00:00 2001 From: Ahson Khan Date: Wed, 13 Sep 2023 01:15:25 -0700 Subject: [PATCH] Add WorkloadIdentityCredential to the DefaultAzureCredential. (#4940) * Add WorkloadIdentityCredential to the DefaultAzureCredential. * Clang format and update the CL. * Address PR feedback - update CL, and SVG * Define the required AZURE_FEDERATED_TOKEN_FILE env variable in the test. * Update DAC unit test to include WIC in the log messages. --- sdk/identity/azure-identity/CHANGELOG.md | 2 ++ sdk/identity/azure-identity/README.md | 1 + .../img/mermaidjs/DefaultAzureCredentialAuthFlow.md | 2 +- .../img/mermaidjs/DefaultAzureCredentialAuthFlow.svg | 2 +- .../inc/azure/identity/default_azure_credential.hpp | 8 ++++---- .../azure-identity/src/default_azure_credential.cpp | 4 +++- .../test/ut/default_azure_credential_test.cpp | 5 ++++- 7 files changed, 16 insertions(+), 8 deletions(-) diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md index 24ba6bc0b..ad4338314 100644 --- a/sdk/identity/azure-identity/CHANGELOG.md +++ b/sdk/identity/azure-identity/CHANGELOG.md @@ -8,6 +8,8 @@ ### Breaking Changes +- Add `WorkloadIdentityCredential` to the `DefaultAzureCredential`. + ### Bugs Fixed - [[#4084]](https://github.com/Azure/azure-sdk-for-cpp/issues/4084) Remove OpenSSL dependency on Windows. (A community contribution, courtesy of _[teo-tsirpanis](https://github.com/teo-tsirpanis)_) diff --git a/sdk/identity/azure-identity/README.md b/sdk/identity/azure-identity/README.md index 390e5c436..a9e0906c8 100644 --- a/sdk/identity/azure-identity/README.md +++ b/sdk/identity/azure-identity/README.md @@ -57,6 +57,7 @@ The `DefaultAzureCredential` attempts to authenticate via the following mechanis ![DefaultAzureCredential authentication flow][default_azure_credential_auth_flow] 1. **Environment** - The `DefaultAzureCredential` will read account information specified via [environment variables](#environment-variables) and use it to authenticate. +1. **Workload Identity Credential** - If the developer authenticates using a Kubernetes service account token. 1. **Azure CLI** - If the developer has authenticated an account via the Azure CLI `az login` command, the `DefaultAzureCredential` will authenticate with that account. 1. **Managed Identity** - If the application is deployed to an Azure host with Managed Identity enabled, the `DefaultAzureCredential` will authenticate with that account. diff --git a/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.md b/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.md index 26b5d98e0..5ef482346 100644 --- a/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.md +++ b/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.md @@ -6,7 +6,7 @@ %% 2. Run command: mmdc -i DefaultAzureCredentialAuthFlow.md -o DefaultAzureCredentialAuthFlow.svg flowchart LR; - A(Environment):::deployed ==> B(Azure CLI):::developer ==> C(Managed Identity):::deployed; + A(Environment):::deployed ==> B(Workload Identity):::deployed ==> C(Azure CLI):::developer ==> D(Managed Identity):::deployed; subgraph CREDENTIAL TYPES; direction LR; diff --git a/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.svg b/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.svg index 252969297..8aa89eeb2 100644 --- a/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.svg +++ b/sdk/identity/azure-identity/img/mermaidjs/DefaultAzureCredentialAuthFlow.svg @@ -1 +1 @@ -
CREDENTIAL TYPES
Developer
Deployed service
Environment
Azure CLI
Managed Identity
 \ No newline at end of file +
CREDENTIAL TYPES
Developer
Deployed service
Environment
Workload Identity
Azure CLI
Managed Identity
 \ No newline at end of file diff --git a/sdk/identity/azure-identity/inc/azure/identity/default_azure_credential.hpp b/sdk/identity/azure-identity/inc/azure/identity/default_azure_credential.hpp index e7528cdb5..22858b4ae 100644 --- a/sdk/identity/azure-identity/inc/azure/identity/default_azure_credential.hpp +++ b/sdk/identity/azure-identity/inc/azure/identity/default_azure_credential.hpp @@ -25,10 +25,10 @@ namespace Azure { namespace Identity { * as well. * * @details This credential is using several credentials in the following order: - * #Azure::Identity::EnvironmentCredential, #Azure::Identity::AzureCliCredential, and - * #Azure::Identity::ManagedIdentityCredential. Even though the credentials being used and their - * order is documented, it may be changed in the future versions of the SDK, potentially bringing - * breaking changes in its behavior. + * #Azure::Identity::EnvironmentCredential, #Azure::Identity::WorkloadIdentityCredential, + * #Azure::Identity::AzureCliCredential, and #Azure::Identity::ManagedIdentityCredential. Even + * though the credentials being used and their order is documented, it may be changed in the + * future versions of the SDK, potentially introducing breaking changes in its behavior. * * @note This credential is intended to be used at the early stages of development, to allow the * developer some time to work with the other aspects of the SDK, and later to replace this diff --git a/sdk/identity/azure-identity/src/default_azure_credential.cpp b/sdk/identity/azure-identity/src/default_azure_credential.cpp index 221e51ec6..3995cb6ea 100644 --- a/sdk/identity/azure-identity/src/default_azure_credential.cpp +++ b/sdk/identity/azure-identity/src/default_azure_credential.cpp @@ -6,6 +6,7 @@ #include "azure/identity/azure_cli_credential.hpp" #include "azure/identity/environment_credential.hpp" #include "azure/identity/managed_identity_credential.hpp" +#include "azure/identity/workload_identity_credential.hpp" #include "private/chained_token_credential_impl.hpp" #include "private/identity_log.hpp" @@ -38,12 +39,13 @@ DefaultAzureCredential::DefaultAzureCredential( // Creating credentials in order to ensure the order of log messages. auto const envCred = std::make_shared(options); + auto const wiCred = std::make_shared(options); auto const azCliCred = std::make_shared(options); auto const managedIdentityCred = std::make_shared(options); m_impl = std::make_unique<_detail::ChainedTokenCredentialImpl>( GetCredentialName(), - ChainedTokenCredential::Sources{envCred, azCliCred, managedIdentityCred}); + ChainedTokenCredential::Sources{envCred, wiCred, azCliCred, managedIdentityCred}); } DefaultAzureCredential::~DefaultAzureCredential() = default; diff --git a/sdk/identity/azure-identity/test/ut/default_azure_credential_test.cpp b/sdk/identity/azure-identity/test/ut/default_azure_credential_test.cpp index 6111701e7..4b7a56b6d 100644 --- a/sdk/identity/azure-identity/test/ut/default_azure_credential_test.cpp +++ b/sdk/identity/azure-identity/test/ut/default_azure_credential_test.cpp @@ -24,6 +24,7 @@ TEST(DefaultAzureCredential, GetCredentialName) {"AZURE_CLIENT_ID", "fedcba98-7654-3210-0123-456789abcdef"}, {"AZURE_CLIENT_SECRET", "CLIENTSECRET"}, {"AZURE_AUTHORITY_HOST", ""}, + {"AZURE_FEDERATED_TOKEN_FILE", "azure-identity-test.pem"}, {"AZURE_USERNAME", ""}, {"AZURE_PASSWORD", ""}, {"AZURE_CLIENT_CERTIFICATE_PATH", ""}, @@ -56,6 +57,7 @@ TEST(DefaultAzureCredential, LogMessages) {"AZURE_CLIENT_ID", "fedcba98-7654-3210-0123-456789abcdef"}, {"AZURE_CLIENT_SECRET", "CLIENTSECRET"}, {"AZURE_AUTHORITY_HOST", "https://microsoft.com/"}, + {"AZURE_FEDERATED_TOKEN_FILE", "azure-identity-test.pem"}, {"AZURE_USERNAME", ""}, {"AZURE_PASSWORD", ""}, {"AZURE_CLIENT_CERTIFICATE_PATH", ""}, @@ -136,7 +138,8 @@ TEST(DefaultAzureCredential, LogMessages) EXPECT_EQ( log[9].second, "Identity: DefaultAzureCredential: Created with the following credentials: " - "EnvironmentCredential, AzureCliCredential, ManagedIdentityCredential."); + "EnvironmentCredential, WorkloadIdentityCredential, AzureCliCredential, " + "ManagedIdentityCredential."); log.clear();