search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.36k stars 4.79k forks source link

[FEATURE REQ] Support AzurePipelinesCredential via AzureComponentFactory #46598

Open jviau opened 2 hours ago

jviau commented 2 hours ago

Library name

Microsoft.Extensions.Azure

Please describe the feature.

Add support for configuring and instantiating an AzurePipelinesCredential via AzureComponentFactory.

github-actions[bot] commented 2 hours ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

jsquire commented 1 hour ago

@jviau: Can you please share the customer scenario where this would be used?

jsquire commented 1 hour ago

//cc: @scottaddie, @christothes for thoughts.

jviau commented 1 hour ago

@jsquire the precise scenario I am thinking of is for integration tests of Azure Functions extensions in Azure Pipelines. Today many extensions leverage AzureComponentFactory to parse configuration and get a token for the Azure resource (example: event hubs extension). Adding azure pipelines support to component factory will simplify integration tests in Azure pipelines as a service connection can be used. This would be a preferred approach over existing auth as they have limitations:

Connection string: not secretless.

Managed identity: need to assign identity to agent. All pipelines running on agent now have access to identity. Service connection will allow restricting to specific pipelines.

Workload identity: this seems like the closest match? I am going to test it out. It doesn't seem as clean as supporting a pipeline cred directly as I will need an intermediate step to get auth via azure cli and write the token to a file.

jsquire commented 1 hour ago

We don't generally add public features for internal purposes such as this. Can you help us understand why using the Functions Startup and the UseCredential method for the client builder wouldn't work for the Functions test infrastructure? That would be the recommended approach and works with any Identity credential or custom implementation based on TokenCredential.

Example

jviau commented 40 minutes ago

This is not specifically for internal purposes only. It is for customers that have integration tests for their function apps as well. Azure functions extensions do not support manually supplying token credentials for the most part and are limited to connection strings or what AzureComponentFactory supports. Additionally, it out-of-process scenarios customers would not have any code running in the host process to manually provide a token credential to begin with, and are limited to only config-based solutions.