Merge pull request microsoft#431 from microsoft/fix/managed-identity-upgrade

Prajwal-Microsoft · web-flow · commit 5516f9560aec · 2025-07-31T18:18:09.000+05:30
fix: replace DefaultAzureCredential with ManagedIdentityCredential
diff --git a/App/backend-api/Microsoft.GS.DPS.Host/AppConfiguration/AppConfiguration.cs b/App/backend-api/Microsoft.GS.DPS.Host/AppConfiguration/AppConfiguration.cs
@@ -1,6 +1,7 @@
 ﻿using Azure.Identity;
 using Microsoft.Extensions.Azure;
 using Microsoft.GS.DPSHost.AppConfiguration;
+using Microsoft.GS.DPSHost.Helpers;
 
 namespace Microsoft.GS.DPSHost.AppConfiguration
 {
@@ -16,7 +17,7 @@ public static void Config(IHostApplicationBuilder builder)
             //Read AppConfiguration with managed Identity
             builder.Configuration.AddAzureAppConfiguration(options =>
             {
-                options.Connect(new Uri(builder.Configuration["ConnectionStrings:AppConfig"]), new DefaultAzureCredential());
+                options.Connect(new Uri(builder.Configuration["ConnectionStrings:AppConfig"]), AzureCredentialHelper.GetAzureCredential());
             });
 
             //Read ServiceConfiguration
diff --git a/App/backend-api/Microsoft.GS.DPS.Host/Helpers/AzureCredentialHelper.cs b/App/backend-api/Microsoft.GS.DPS.Host/Helpers/AzureCredentialHelper.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Identity;
+
+namespace Microsoft.GS.DPSHost.Helpers
+{
+    /// <summary>
+    /// The Azure Credential Helper class
+    /// </summary>
+    public static class AzureCredentialHelper
+    {
+        /// <summary>
+        /// Get the Azure Credentials based on the environment type
+        /// </summary>
+        /// <param name="clientId">The client Id in case of User assigned Managed identity</param>
+        /// <returns>The Credential Object</returns>
+        public static TokenCredential GetAzureCredential(string? clientId = null)
+        {
+            var env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Production";
+
+            if (string.Equals(env, "Development", StringComparison.OrdinalIgnoreCase))
+            {
+                return new DefaultAzureCredential(); // CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+            }
+            else
+            {
+                return clientId != null
+                    ? new ManagedIdentityCredential(clientId)
+                    : new ManagedIdentityCredential();
+            }
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`using Azure.Identity;`
`2`	`2`	`using Microsoft.Extensions.Azure;`
`3`	`3`	`using Microsoft.GS.DPSHost.AppConfiguration;`
	`4`	`+using Microsoft.GS.DPSHost.Helpers;`
`4`	`5`
`5`	`6`	`namespace Microsoft.GS.DPSHost.AppConfiguration`
`6`	`7`	`{`
`@@ -16,7 +17,7 @@ public static void Config(IHostApplicationBuilder builder)`
`16`	`17`	`//Read AppConfiguration with managed Identity`
`17`	`18`	`builder.Configuration.AddAzureAppConfiguration(options =>`
`18`	`19`	`{`
`19`		`- options.Connect(new Uri(builder.Configuration["ConnectionStrings:AppConfig"]), new DefaultAzureCredential());`
	`20`	`+ options.Connect(new Uri(builder.Configuration["ConnectionStrings:AppConfig"]), AzureCredentialHelper.GetAzureCredential());`
`20`	`21`	`});`
`21`	`22`
`22`	`23`	`//Read ServiceConfiguration`