Azure · chlowell · Aug 2, 2021 · Jul 19, 2021
@@ -5,6 +5,11 @@
 ### Features Added
 
 ### Breaking Changes
+> These changes do not impact the API of stable versions such as 1.6.0.
+> Only code written against a beta version such as 1.7.0b1 may be affected.
+- Renamed `AZURE_POD_IDENTITY_TOKEN_URL` to `AZURE_POD_IDENTITY_AUTHORITY_HOST`.
+  The value should now be a host, for example "http://169.254.169.254" (the
+  default).
 
 ### Bugs Fixed
 

@@ -35,7 +35,7 @@ class EnvironmentVariables:
     AZURE_PASSWORD = "AZURE_PASSWORD"
     USERNAME_PASSWORD_VARS = (AZURE_CLIENT_ID, AZURE_USERNAME, AZURE_PASSWORD)
 
-    AZURE_POD_IDENTITY_TOKEN_URL = "AZURE_POD_IDENTITY_TOKEN_URL"
+    AZURE_POD_IDENTITY_AUTHORITY_HOST = "AZURE_POD_IDENTITY_AUTHORITY_HOST"
     IDENTITY_ENDPOINT = "IDENTITY_ENDPOINT"
     IDENTITY_HEADER = "IDENTITY_HEADER"
     IDENTITY_SERVER_THUMBPRINT = "IDENTITY_SERVER_THUMBPRINT"

@@ -20,7 +20,8 @@
     from typing import Any, Optional
     from azure.core.credentials import AccessToken
 
-IMDS_URL = "http://169.254.169.254/metadata/identity/oauth2/token"
+IMDS_AUTHORITY = "http://169.254.169.254"
+IMDS_TOKEN_PATH = "/metadata/identity/oauth2/token"
 
 PIPELINE_SETTINGS = {
     "connection_timeout": 2,
@@ -33,7 +34,11 @@
 
 
 def get_request(scope, identity_config):
-    request = HttpRequest("GET", os.environ.get(EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL, IMDS_URL))
+    url = (
+        os.environ.get(EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST, IMDS_AUTHORITY).strip("/")
+        + IMDS_TOKEN_PATH
+    )
+    request = HttpRequest("GET", url)
     request.format_parameters(dict({"api-version": "2018-02-01", "resource": scope}, **identity_config))
     return request
 
@@ -44,7 +49,7 @@ def __init__(self, **kwargs):
         super(ImdsCredential, self).__init__()
 
         self._client = ManagedIdentityClient(get_request, **dict(PIPELINE_SETTINGS, **kwargs))
-        if EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL in os.environ:
+        if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ:
             self._endpoint_available = True  # type: Optional[bool]
         else:
             self._endpoint_available = None

@@ -24,7 +24,7 @@ def __init__(self, **kwargs: "Any") -> None:
         super().__init__()
 
         self._client = AsyncManagedIdentityClient(get_request, **PIPELINE_SETTINGS, **kwargs)
-        if EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL in os.environ:
+        if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ:
             self._endpoint_available = True  # type: Optional[bool]
         else:
             self._endpoint_available = None

@@ -10,7 +10,7 @@
 
 from azure.identity import CredentialUnavailableError
 from azure.identity._constants import EnvironmentVariables
-from azure.identity._credentials.imds import ImdsCredential, IMDS_URL, PIPELINE_SETTINGS
+from azure.identity._credentials.imds import IMDS_TOKEN_PATH, ImdsCredential, IMDS_AUTHORITY, PIPELINE_SETTINGS
 from azure.identity._internal.user_agent import USER_AGENT
 import pytest
 
@@ -147,9 +147,9 @@ def test_identity_config():
     scope = "scope"
     transport = validating_transport(
         requests=[
-            Request(base_url=IMDS_URL),
+            Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH),
             Request(
-                base_url=IMDS_URL,
+                base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH,
                 method="GET",
                 required_headers={"Metadata": "true", "User-Agent": USER_AGENT},
                 required_params={"api-version": "2018-02-01", "resource": scope, param_name: param_value},
@@ -177,16 +177,16 @@ def test_identity_config():
     assert token == expected_token
 
 
-def test_imds_url_override():
-    url = "https://localhost/token"
+def test_imds_authority_override():
+    authority = "https://localhost"
     expected_token = "***"
     scope = "scope"
     now = int(time.time())
 
     transport = validating_transport(
         requests=[
             Request(
-                base_url=url,
+                base_url=authority + IMDS_TOKEN_PATH,
                 method="GET",
                 required_headers={"Metadata": "true", "User-Agent": USER_AGENT},
                 required_params={"api-version": "2018-02-01", "resource": scope},
@@ -207,7 +207,7 @@ def test_imds_url_override():
         ],
     )
 
-    with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL: url}, clear=True):
+    with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST: authority}, clear=True):
         credential = ImdsCredential(transport=transport)
         token = credential.get_token(scope)
 

@@ -10,7 +10,7 @@
 from azure.core.exceptions import ClientAuthenticationError
 from azure.identity import CredentialUnavailableError
 from azure.identity._constants import EnvironmentVariables
-from azure.identity._credentials.imds import IMDS_URL
+from azure.identity._credentials.imds import IMDS_AUTHORITY, IMDS_TOKEN_PATH
 from azure.identity._internal.user_agent import USER_AGENT
 from azure.identity.aio._credentials.imds import ImdsCredential, PIPELINE_SETTINGS
 import pytest
@@ -182,9 +182,9 @@ async def test_identity_config():
 
     transport = async_validating_transport(
         requests=[
-            Request(base_url=IMDS_URL),
+            Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH),
             Request(
-                base_url=IMDS_URL,
+                base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH,
                 method="GET",
                 required_headers={"Metadata": "true", "User-Agent": USER_AGENT},
                 required_params={"api-version": "2018-02-01", "resource": scope, param_name: param_value},
@@ -212,16 +212,16 @@ async def test_identity_config():
     assert token == expected_token
 
 
-async def test_imds_url_override():
-    url = "https://localhost/token"
+async def test_imds_authority_override():
+    authority = "https://localhost"
     expected_token = "***"
     scope = "scope"
     now = int(time.time())
 
     transport = async_validating_transport(
         requests=[
             Request(
-                base_url=url,
+                base_url=authority + IMDS_TOKEN_PATH,
                 method="GET",
                 required_headers={"Metadata": "true", "User-Agent": USER_AGENT},
                 required_params={"api-version": "2018-02-01", "resource": scope},
@@ -242,7 +242,7 @@ async def test_imds_url_override():
         ],
     )
 
-    with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL: url}, clear=True):
+    with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST: authority}, clear=True):
         credential = ImdsCredential(transport=transport)
         token = await credential.get_token(scope)
 

@@ -15,7 +15,7 @@
 from azure.core.pipeline.transport import HttpRequest
 from azure.identity import ManagedIdentityCredential
 from azure.identity._constants import EnvironmentVariables
-from azure.identity._credentials.imds import IMDS_URL
+from azure.identity._credentials.imds import IMDS_AUTHORITY, IMDS_TOKEN_PATH
 from azure.identity._internal.managed_identity_client import ManagedIdentityClient
 from azure.identity._internal.user_agent import USER_AGENT
 import pytest
@@ -438,9 +438,9 @@ def test_imds():
     scope = "scope"
     transport = validating_transport(
         requests=[
-            Request(base_url=IMDS_URL),  # first request should be availability probe => match only the URL
+            Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH),
             Request(
-                base_url=IMDS_URL,
+                base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH,
                 method="GET",
                 required_headers={"Metadata": "true", "User-Agent": USER_AGENT},
                 required_params={"api-version": "2018-02-01", "resource": scope},
@@ -532,7 +532,7 @@ def test_imds_user_assigned_identity():
     access_token = "****"
     expires_on = 42
     expected_token = AccessToken(access_token, expires_on)
-    endpoint = IMDS_URL
+    endpoint = IMDS_AUTHORITY + IMDS_TOKEN_PATH
     scope = "scope"
     client_id = "some-guid"
     transport = validating_transport(

@@ -11,7 +11,7 @@
 from azure.core.pipeline.transport import HttpRequest
 from azure.identity.aio import ManagedIdentityCredential
 from azure.identity.aio._internal.managed_identity_client import AsyncManagedIdentityClient
-from azure.identity._credentials.imds import IMDS_URL
+from azure.identity._credentials.imds import IMDS_AUTHORITY, IMDS_TOKEN_PATH
 from azure.identity._constants import EnvironmentVariables
 from azure.identity._internal.user_agent import USER_AGENT
 
@@ -499,9 +499,9 @@ async def test_imds():
     scope = "scope"
     transport = async_validating_transport(
         requests=[
-            Request(base_url=IMDS_URL),  # first request should be availability probe => match only the URL
+            Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH),
             Request(
-                base_url=IMDS_URL,
+                base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH,
                 method="GET",
                 required_headers={"Metadata": "true", "User-Agent": USER_AGENT},
                 required_params={"api-version": "2018-02-01", "resource": scope},
@@ -539,9 +539,9 @@ async def test_imds_user_assigned_identity():
     client_id = "some-guid"
     transport = async_validating_transport(
         requests=[
-            Request(base_url=IMDS_URL),  # first request should be availability probe => match only the URL
+            Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH),
             Request(
-                base_url=IMDS_URL,
+                base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH,
                 method="GET",
                 required_headers={"Metadata": "true", "User-Agent": USER_AGENT},
                 required_params={"api-version": "2018-02-01", "client_id": client_id, "resource": scope},