Make Azure credential process timeout configurable

[spboyer]

Description

Fixes #15872 — aspire deploy az login check times out with no way to override.

Problem

The Azure CLI credential validation during aspire deploy had inconsistent timeout handling:

• Publish mode (AzureCliCredential): No timeout at all — would use SDK defaults or hang
• Run mode (DefaultAzureCredential): Hard-coded 15s CredentialProcessTimeout — too short for some machines
• No user-facing way to increase the timeout when az CLI is slow (antivirus scanning, network latency)

Solution

• Add CredentialProcessTimeoutSeconds to AzureProvisionerOptions (default: 60s, range: 5-600s)
• Apply ProcessTimeout consistently to all process-backed credential types (AzureCli, AzurePowerShell, VisualStudio, AzureDeveloperCli)
• Leave DefaultAzureCredential unchanged at 15s per-subprocess timeout to avoid changing run-mode behavior
• Wrap ValidateAzureLoginAsync with a linked CancellationTokenSource to distinguish timeout from auth failure, providing specific error messages for each

Configuration

# Environment variable
export Azure__CredentialProcessTimeoutSeconds=120

# Or in appsettings.json / user-secrets
{
  "Azure": {
    "CredentialProcessTimeoutSeconds": 120
  }
}

Error Messages

Timeout:

Azure credential validation timed out after 60 seconds. This can happen when the Azure CLI is slow to respond (e.g., antivirus scanning, network latency). To increase the timeout, set Azure__CredentialProcessTimeoutSeconds to a higher value (e.g., 120).

Auth failure (unchanged):

Azure CLI authentication failed. Please run az login to authenticate before deploying.

Changes

File	Change
AzureProvisionerOptions.cs	Added CredentialProcessTimeoutSeconds property with [Range(5, 600)] validation
DefaultTokenCredentialProvider.cs	Applied ProcessTimeout to AzureCli, AzurePowerShell, VisualStudio, AzureDeveloperCli credentials
AzureEnvironmentResource.cs	Linked CTS with CancelAfter in ValidateAzureLoginAsync for timeout-specific error messaging
AspireAzureConfigurationSchema.json	Added schema entry for appsettings discoverability
AzureProvisionerOptionsTests.cs	7 tests: defaults, range validation, boundary cases

Testing

• 9 unit tests passing (7 new + no regressions)
• Build succeeds
• Integration tests verify timeout & auth failure behavior with mock credentials

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a configurable timeout for Azure process-based credential validation during aspire deploy, aiming to prevent hangs and allow users to extend timeouts on slow machines.

Changes:

• Introduces CredentialProcessTimeoutSeconds (default 60s, range 5–600) on AzureProvisionerOptions.
• Applies a consistent ProcessTimeout to process-backed Azure.Identity credentials (Azure CLI/PowerShell/VS/AZD).
• Adds timeout-specific handling in ValidateAzureLoginAsync and updates configuration schema + unit tests.

Show a summary per file

File	Description
tests/Aspire.Hosting.Azure.Tests/AzureProvisionerOptionsTests.cs	Adds validation and basic construction tests for the new timeout option.
src/Aspire.Hosting.Azure/Provisioning/Internal/DefaultTokenCredentialProvider.cs	Plumbs the configured timeout into process-backed credential options.
src/Aspire.Hosting.Azure/Provisioning/AzureProvisionerOptions.cs	Adds the new CredentialProcessTimeoutSeconds option with range validation + docs.
src/Aspire.Hosting.Azure/AzureEnvironmentResource.cs	Implements linked-CTS timeout for credential validation and a timeout-specific message.
src/Aspire.Hosting.Azure/AspireAzureConfigurationSchema.json	Exposes the new setting in the JSON schema (bounds + default).

Copilot's findings

• Files reviewed: 5/5 changed files
• Comments generated: 3

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16175

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16175"

[spboyer]

Filed #16205 to track the full Azure SDK configurable credential adoption that @eerhardt suggested. That will replace the manual credential switch statement entirely with the SDK's ConfigurableCredential / WithAzureCredential integration.

This PR remains scoped to the immediate timeout fix — making CredentialProcessTimeout configurable and consistent across all credential paths, with actionable error messages on timeout. It unblocks users hitting the 13s default today while the larger SDK adoption is planned.

[spboyer]

@eerhardt — All feedback addressed, threads resolved. Per our Teams discussion, proceeding with the custom CredentialProcessTimeoutSeconds property for 13.3, with SDK adoption tracked in #16205 for 13.4. Ready for your review when you get a chance. Thanks!

[eerhardt]

Thanks for the contribution!

[github-actions]

Re-running the failed jobs in the CI workflow for this pull request because 1 job was identified as retry-safe transient failures in the CI run attempt.
GitHub was asked to rerun all failed jobs for that attempt, and the rerun is being tracked in the rerun attempt.
The job links below point to the failed attempt jobs that matched the retry-safe transient failure rules.

• Tests / Hosting-1 / Hosting-1 (windows-latest) - Job-level runner or infrastructure failure matched the transient allowlist.