Support custom ImdsId for AppServiceManagedIdentityCredential. #2284
Conversation
tot0
requested review from
JeffreyRichter,
LarryOsterman,
RickWinter,
heaths and
ronniegeraghty
as code owners
github-project-automation
bot
moved this to Untriaged
in Azure Identity SDK Improvements
heaths
left a comment
heaths
left a comment
There was a problem hiding this comment.
Thanks for the contribution, but I don't think we can expose much of this publicly and probably already have too much public for the next beta release where we'll better align with other languages' versions of azure_identity. That's not to say we can't have some idiomatic rust-specifics, but it seems the AppServiceManagedIdentityCredential shouldn't even be public.
For that alone I'd still merge this, but then the whole reason for exposing the IMDS type evaporates. We also won't expose the cache. It's not like people can't write their own if needed. We don't want to expose types unless necessary or highly requested becuase we'll have to support them as-is in perpetuity. Instead, we will probably have a more robust cache that can be securely persisted a la https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/cache/cache.go. So we wouldn't expose this simple in-memory cache as-is.
| @@ -1,5 +1,16 @@ | |||
| # Release History | |||
|
|
|||
| ## 0.23.0 (?) | |||
There was a problem hiding this comment.
| ## 0.23.0 (?) | |
| ## 0.23.0 (Unreleased) |
@hallipr can we get the bot hooked up to make these changes automatically soon?
| } | ||
|
|
||
| impl AppServiceManagedIdentityCredential { | ||
| pub fn new(options: impl Into<TokenCredentialOptions>) -> azure_core::Result<Arc<Self>> { |
There was a problem hiding this comment.
@chlowell @scottaddie should this type even be exposed publicly? I'm close to refactoring azure_identity and I remember talking about how only ManagedIdentityCredential should be exposed and all the "implementation-specific" credentials should be internal. That would significantly affect the need for this PR and force consideration for how else to pass the IMDS ID. Comparing with Go's azidentity, I see it's just an implementation detail. I'm guessing this equates to ManagedIdentityCredentialOptions.ManagedIDKind? I'm not sure, though, since the only implementations I see are all user-assigned variants.
There was a problem hiding this comment.
A unified ManagedIdentityCredential credential makes sense to me. When to call the IMDS static IP endpiont and when to call a environment specific endpoint I guess switches on the presence of IDENTITY_ENDPOINT in env?
For any Managed Identity credential it is important to be somehow able to specify whether to use a specific ClientId or just use the endpoints default.
github-project-automation
bot
moved this from Untriaged
to In Progress
in Azure Identity SDK Improvements
Understandable on both fronts. |
|
Possibly. We're discussing in the Identity v-team. But I can say you won't be able to use these changes for long, and even then would have to use a patched git reference to |
Happy to not actually PR this then. For now I am referencing my fork for usage of |
…ting a custom TokenCredential.
…implementing a custom TokenCredential." This reverts commit c646422.
tot0
force-pushed
the
lupickup/support_imdsid_appservice
branch
from
b354206 to
e53e4d3
Compare
github-project-automation
bot
moved this from In Progress
to Done
in Azure Identity SDK Improvements
3 participants
This matches the interface of
VirtualMachineManagedIdentityCredential, it enables specifying aclient_idto use for Identities being served not via the VM local Imds endpoint.