Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AzureApplicationCredential #19403

Merged
merged 4 commits into from
Jun 30, 2021
Merged

Add AzureApplicationCredential #19403

merged 4 commits into from
Jun 30, 2021

Conversation

chlowell
Copy link
Member

@chlowell chlowell commented Jun 22, 2021

It's the first two links of DefaultAzureCredential, namely EnvironmentCredential and ManagedIdentityCredential, so a better default for an application deployed to Azure that doesn't want to authenticate as a user or through dev tools.

Closes #18020, closes #19309

@check-enforcer
Copy link

This pull request is protected by Check Enforcer.

What is Check Enforcer?

Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass.

Why am I getting this message?

You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged.

What should I do now?

If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows:
/check-enforcer evaluate
Typically evaulation only takes a few seconds. If you know that your pull request is not covered by a pipeline and this is expected you can override Check Enforcer using the following command:
/check-enforcer override
Note that using the override command triggers alerts so that follow-up investigations can occur (PRs still need to be approved as normal).

What if I am onboarding a new service?

Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment:
/azp run prepare-pipelines
This will run a pipeline that analyzes the source tree and creates the pipelines necessary to build and validate your pull request. Once the pipeline has been created you can trigger the pipeline using the following comment:
/azp run python - [service] - ci

Copy link
Member

@mccoyp mccoyp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me -- my only question is about the open question that was posed in the credential proposal doc:

OPEN QUESTION: Should the AzureApplicationCredential allow users to specify service principal credential details through code? This would be different from the DefaultAzureCredential where users can only provide service principal credential information via environment variables. However, since this new credential strictly authenticates applications perhaps also providing a means to configure via code makes sense.

Did everyone agree to stick to the DefaultAzureCredential-style flow for now? I assume that means that AZURE_TENANT_ID, etc. are only provided as environment variables and can't be provided as, say, kwargs

@chlowell
Copy link
Member Author

We haven't discussed it, so no consensus on that question as yet. I started without API for specifying a service principal because I think developers who want to do that should use Certificate- or ClientSecretCredential instead. What do you think?

@mccoyp
Copy link
Member

mccoyp commented Jun 25, 2021

I think I agree. It's better to add that support later if it's desired than get stuck with a feature that's not useful, since I don't see much value in using the AzureApplicationCredential in that scenario. The only useful application I can think of off the top of my head would be if someone wanted to override (a) particular environment variable(s), but that seems like an edge case.

@chlowell chlowell enabled auto-merge (squash) June 30, 2021 00:59
@chlowell chlowell merged commit a60d5d1 into Azure:main Jun 30, 2021
@chlowell chlowell deleted the app-credential branch June 30, 2021 01:18
rakshith91 pushed a commit to rakshith91/azure-sdk-for-python that referenced this pull request Jul 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Create AzureApplicationCredential [FEATURE REQ] Create AzureApplicationCredential
3 participants