Is there an existing issue for this?
Describe the bug
The change introduced in #14951 only detects user-assigned managed identities, not system-assigned managed identities, and attempts to use development credentials with managed identity support disabled in Azure.
Looking at the implementation it's clear why it's wrong:
|
internal static TokenCredential CreateDefaultAzureCredential() |
|
{ |
|
if (Environment.GetEnvironmentVariable(DefaultAzureCredential.DefaultEnvironmentVariableName) is not null) |
|
{ |
|
return new DefaultAzureCredential(DefaultAzureCredential.DefaultEnvironmentVariableName); |
|
} |
|
|
|
if (Environment.GetEnvironmentVariable("AZURE_CLIENT_ID") is not null) |
|
{ |
|
// When we don't see DefaultEnvironmentVariableName, but we do see AZURE_CLIENT_ID, |
|
// we just use ManagedIdentityCredential because that's the only credential type that |
|
// Aspire Hosting enables by default. |
|
// If this doesn't work for applications, they can override the TokenCredential in their settings. |
|
return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions()); |
|
} |
|
|
|
// when we can't detect a known Azure environment, fall back to the development credential |
|
return CreateDevelopmentAzureCredential(); |
|
} |
DefaultAzureCredential is only used if AZURE_TOKEN_CREDENTIALS is defined, this is not relevant for system-assigned identitiesManagedIdentityCredential is only used if AZURE_CLIENT_ID is defined, this environment variable should only be defined for user-assigned identities- Otherwise it uses
DefaultAzureCredential with ExcludeManagedIdentityCredential = true which prevents any managed identity from working
Expected Behavior
System-assigned managed identities should work out of the box like before this change.
Steps To Reproduce
- Enable system-assigned managed identity
- Call
configuration.AddAzureKeyVaultSecrets(connectionName);
Exceptions (if any)
I didn't save the exception unfortunately but it was a long exception that listed types of credentials it tried and ManagedIdentityCredential was notably missing.
.NET Version info
10.0.5
Anything else?
I found a similar issue #15537 where there's a comment that this breaking change is documented but there is no mention of system-assigned managed identities. In fact the documentation seems to imply that it's supposed to detect Azure but that's not the case, it only detects user-assigned managed identities.
Is there an existing issue for this?
Describe the bug
The change introduced in #14951 only detects user-assigned managed identities, not system-assigned managed identities, and attempts to use development credentials with managed identity support disabled in Azure.
Looking at the implementation it's clear why it's wrong:
aspire/src/Shared/AzureCredentialHelper.cs
Lines 14 to 32 in ec8bbdf
DefaultAzureCredentialis only used ifAZURE_TOKEN_CREDENTIALSis defined, this is not relevant for system-assigned identitiesManagedIdentityCredentialis only used ifAZURE_CLIENT_IDis defined, this environment variable should only be defined for user-assigned identitiesDefaultAzureCredentialwithExcludeManagedIdentityCredential = truewhich prevents any managed identity from workingExpected Behavior
System-assigned managed identities should work out of the box like before this change.
Steps To Reproduce
configuration.AddAzureKeyVaultSecrets(connectionName);Exceptions (if any)
I didn't save the exception unfortunately but it was a long exception that listed types of credentials it tried and
ManagedIdentityCredentialwas notably missing..NET Version info
10.0.5
Anything else?
I found a similar issue #15537 where there's a comment that this breaking change is documented but there is no mention of system-assigned managed identities. In fact the documentation seems to imply that it's supposed to detect Azure but that's not the case, it only detects user-assigned managed identities.