Broaden special case for 403 responses from IMDS

sdk/azidentity/CHANGELOG.md

@@ -7,6 +7,9 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+* Fixed more cases in which credential chains like `DefaultAzureCredential`
+  should try their next credential after attempting managed identity
+  authentication in a Docker Desktop container
 
 ### Other Changes
 

sdk/azidentity/managed_identity_client.go

@@ -209,7 +209,7 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 			// Docker Desktop runs a proxy that responds 403 to IMDS token requests. If we get that response,
 			// we return credentialUnavailableError so credential chains continue to their next credential
 			body, err := runtime.Payload(resp)
-			if err == nil && strings.Contains(string(body), "A socket operation was attempted to an unreachable network") {
+			if err == nil && strings.Contains(string(body), "unreachable") {
 				return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, fmt.Sprintf("unexpected response %q", string(body)))
 			}
 		}

sdk/azidentity/managed_identity_client_test.go

@@ -93,6 +93,11 @@ func TestManagedIdentityClient_IMDSErrors(t *testing.T) {
 			code: http.StatusForbidden,
 			body: "connecting to 169.254.169.254:80: connecting to 169.254.169.254:80: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.",
 		},
+		{
+			desc: "Docker Desktop",
+			code: http.StatusForbidden,
+			body: "connecting to 169.254.169.254:80: connecting to 169.254.169.254:80: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable host.",
+		},
 	} {
 		t.Run(fmt.Sprint(test.code), func(t *testing.T) {
 			srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())