-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure.Identity: support MSI_CLIENT_ID or AZURE_CLIENT_ID env var for User Assigned Identities #18253
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
OK, while I was testing this proposal, I discovered that this is already implemented with So if you set just I've just tested it with 1.3.0 nuget package and yes it works as required. Thoughts on this? If this is officially supported thing, should we document it? If "unsupported" then why? |
Hi @ppanyukov - does this describe the scenario you had in mind? |
No it doesn't quite do @christothes . The example there shows that we need to specify client id in the code. Specifically just for the case of User Assigned Identity. The proposal here is that it should work transparently by means of env vars as it simplifies so many workflows. |
Thanks for clarifying. To your follow up question:
This appears to be a documentation oversight. I'll file an issue to get the docs updated. Thanks for pointing this out! |
Will add docs with #18264 |
Thanks @christothes . Do you know where to raise an issue/feature request for Key Vault refs not working with User Assigned Identities? For this thing: https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references |
@ppanyukov Normally for a feature request like this we'd ask for this to be filed on our uservoice, but I actually don't see that item already filed, strangely. That said, we do have support for it lined up to be available very soon. I can't give a specific timeline, but it shouldn't be too much longer. |
Library or service name.
Azure.Identity.
Is your feature request related to a problem? Please describe.
This affects App Services and Function Apps with user assigned identity.
The standard method to obtain credential in app service is this:
As per docs, this will try to obtain token using this chain: Environment, Managed Identity, Visual Studio, VS Code, Azure CLI.
All good and well, except that does not work with User Assigned Managed Identities, it only works with System Assigned MSIs.
The reason for this is we need to specify client id of User Assigned MSI.
This leads to many undesirable things:
Proposal
Support
MSI_CLIENT_ID
env variable or repurpose existingAZURE_CLIENT_ID
.We can set this in App Settings, either during terraform, or during deployment. If
MSI_CLIENT_ID
is set, the library will use client id specified there when getting MSI token.For example, add support for env var here: https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/EnvironmentVariables.cs#L19
Here is how the code might look here: https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/AppServiceV2017ManagedIdentitySource.cs#L54
Benefits
MSI_CLIENT_ID
orAZURE_CLIENT_ID
is easy via App Settings. It is terraformable, or easy to set during deployments. The use ofAZURE_CLIENT_ID
is already supported and documented, so this change will not be out of line.Azure.Identity
library under the hood.The text was updated successfully, but these errors were encountered: