add azure_identity::create_credential(), SpecificAzureCredential, AppServiceManagedIdentityCredential, VirtualMachineManagedIdentityCredential

[cataggar]

Happy new year 2024!

This adds azure_identity::new_credential(), SpecificAzureCredential, AppServiceManagedIdentityCredential, and VirtualMachineManagedIdentityCredential.

• Similar to azure_core::new_http_client(), azure_identity::create_credential() is a function that simplifies the most common use cases.
• SpecificAzureCredential fixes https://github.com/Azure/azure-sdk-for-rust/issues/1503. It provides an easy and fast way to specify a specific credential type at runtime using an AZURE_CREDENTIAL_KIND environment variable.
• AppServiceManagedIdentityCredential and VirtualMachineManagedIdentityCredential are split off of and make use of ImdsManagedIdentityCredential. This fixes https://github.com/Azure/azure-sdk-for-rust/issues/1495.

Most all of the credentials have something similar to create(options: impl into<TokenCredentialOptions>) -> Result<Self> now. This is similar to how C# has TryCreate shown in https://github.com/Azure/azure-sdk-for-rust/issues/1495. They are able to check environment variables or files to see if they can be created, something milliseconds fast. The main exception is VirtualMachineManagedIdentityCredential, which does not have anything quick to check, so it is disabled by default. This is a breaking behavioral change that allows the default credentials to be faster by default. You can still opt in to using them by setting AZURE_CREDENTIAL_KIND to virtualmachine. You can also include them using the DefaultAzureCredentialBuilder.

Manual functional tests of the AppServiceManagedIdentityCredential and VirtualMachineManagedIdentityCredential was completed.

[cataggar]

I tested the AppServiceManagedIdentityCredential with this get_secret.Dockerfile based on our example.

FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
RUN tdnf install ca-certificates -y
ENV OPENSSL_DIR=/etc/pki/tls
COPY get_secret /get_secret
ENTRYPOINT ["/get_secret"]

This is using the get_secret executable built with:

cargo build --example get_secret --release --target=x86_64-unknown-linux-gnu

Which produces:

target/x86_64-unknown-linux-gnu/release/examples/get_secret

I deployed it to an App Service with a system managed identity and it worked well.

[cataggar]

Testing on a Azure Virtual Machine is complete. I created a VM, scpd the same get_secret binary and the VirtualMachineManagedIdentityCredential worked with the system assigned identity. Some testing notes:

az vm create -g $vm_name -n $vm_name --image $image --admin-username $env.USER --ssh-key-values $'($env.HOME)/.ssh/id_rsa.pub'

I used the portal to add the identity, but it can be done via the CLI too: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-cli-windows-vm

[cataggar]

As we just discussed, I created #1581 as a placeholder for updating the README. This PR is ready to merge.

[heaths]

Opened a couple tracking issues for subsequent discussion / work, but nothing to hold up this PR.