Open johnbatty opened 1 month ago
You are on the right track @johnbatty. Please see this discussion for context.
I made it public again in #1660, but it should probably be private long term. Are you looking for VirtualMachineManagedIdenityCredential
, but with a way to specify the user assigned managed identity?
@cataggar
I made it public again in https://github.com/Azure/azure-sdk-for-rust/pull/1660, but it should probably be private long term.
Thank you!
Are you looking for VirtualMachineManagedIdenityCredential, but with a way to specify the user assigned managed identity?
Yes
@cataggar
Perhaps we could just update the VirtualMachineManagedIdentityCredential constructor to take an additional id
parameter, which would then allow it to be used for either System Assigned or User Assigned ids?
Current:
pub fn new(options: impl Into<TokenCredentialOptions>) -> Self {
let endpoint = Url::parse(ENDPOINT).unwrap(); // valid url constant
Self {
credential: ImdsManagedIdentityCredential::new(
options,
endpoint,
API_VERSION,
SECRET_HEADER,
SECRET_ENV,
ImdsId::SystemAssigned,
),
}
}
New:
pub fn new(id: ImdsId, options: impl Into<TokenCredentialOptions>) -> Self {
let endpoint = Url::parse(ENDPOINT).unwrap(); // valid url constant
Self {
credential: ImdsManagedIdentityCredential::new(
options,
endpoint,
API_VERSION,
SECRET_HEADER,
SECRET_ENV,
id,
),
}
}
I have a similar issue and also had to revert back to 0.19 because 0.20 did not allow me to create a managed identity credentials with a customized client ID.
My application runs normally in a Azure Batch VM with a identity specified from an ENV variable, but I also need to be able to run it locally with my Azure CLI credentials.
Right now I use code that looks like this:
let credentials: Arc<dyn TokenCredential> = if let Some(client_id) = &args.batch_task_identity {
Arc::new(ImdsManagedIdentityCredential::default().with_client_id(client_id))
} else {
Arc::new(DefaultAzureCredential::default())
};
Maybe it would be possible to specify custom IDs for managed identities by extending the TokenCredentialOptions struct introduced in 0.20?
If this struct would include options for the customized client IDs for the managed identity credentials, the code could be simplified to something like that:
let mut options = TokenCredentialOptions::default();
options.set_managed_identity_client_id(args.batch_task_identity);
let credentials = Arc::new(DefaultAzureCredential::create(options)?);
Using
azure_identity
prior to 0.20.0 I was able to use specific User Assigned Managed Identity credentials like this:For 0.20.0 there was an overhaul of how credentials are created, and it no longer appears possible to create an ImdsManagedIdentity with an object_id.
This is a major issue for my project (and I imagine others) - we rely on User Assigned Managed Identities so can't upgrade
azure_identity
without a fix to restore this capability.I do note there is an outstanding issue for creating a
ManagedIdentityCredential
: https://github.com/Azure/azure-sdk-for-rust/issues/1536I'm happy to make a fix, but need to agree what the API should look like.
ImdsManagedIdentityCredential
had methods to allow you to set one ofobject_id
,client_id
oridentity
(resource id).ImdsManagedIdentityCredential
implementation does have an enum defined that includes all the different types ofImdsManagedIdentityCredential
, so we just need to provide a way to create instances with an id of each of these types.The previous method of creating an
ImdsManagedIdentityCredential
and then calling one of the other methods to set a value felt a bit hacky. Might be simpler to expose the aboveImdsId
enum in the public API, and then allow it to be passed in a new constructor. Although possibly a bit odd passing inImdsId
to aManagedIdentityCredential
(without theImds
prefix). Could renameImdsId
in the API, perhaps:For comparison, the .NET SDK
ManagedIdentityCredential
has multiple overloaded constructors for creating the different variants:Any thoughts/suggestions appreciated.