`TokenCredentials` linked to a Pulumi Azure Native Provider

[tomachristian]

Does anyone know how to create an implementation of the TokenCredentials from Azure Identity in .NET that is based on a Azure Native Provider?

[thomas11]

Hi @tomachristian, are you thinking of exposing the Azure authentication token that the provider uses internally, so you'd have a TokenCredentials implementation that gets the token from the Pulumi provider?

If so, that's not supported at the moment, since the token and the code to access it is internal to the provider.

Since you already need to configure authentication for the provider, you should be able to use the same configuration to get a token directly via the Identity library.

Maybe it would help if you could explain your use case in more detail.

[tomachristian]

That is exactly what we would need, indeed. We would like to access some Azure KeyVault to read secrets via the Azure SDK and that requires a TokenCredentials.

We are using DefaultCredentials ATM because that one picks up the ambient credentials that the Pulumi also uses; but we would like to be correct in our code, we would like to switch to explicit Azure Native provider instead of default providers and also have this evident in a clear relationship between the provider and the credentials used to read from that Azure KeyVault

[thomas11]

Ok, we'll keep this enhancement request open and will see internally when we can address it.

In the meantime, are you aware of the provider's Secret and GetSecret? Maybe they could fill the gap.

[tomachristian]

Thank you!

Yes, I do, but unfortunately none of those allow us to actually read the value of a secret in an existing (externally owned) KeyVault 😢; we need to use the Azure SDK to do that.

[thomas11]

GetSecret (and all the Pulumi Get methods) will read data/resources that are not managed by Pulumi. See Get functions for docs.

[tomachristian]

The documentation of GetSecret explicitly states that it will NOT ever read and return the value of a secret. https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/getsecret/

"The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets."

[thomas11]

Ah, you're right. GetSecret is the exception to the Get* functions, which is tracked in #1422. Apologies for the misinformation!

[tomachristian]

No need to apologise! Thank YOU! Hope maybe this with TokenCrendetials will be taken into consideration one day 🙏