From 78ea133a3db6abdc29982bb0aa980a50a6d391dc Mon Sep 17 00:00:00 2001 From: Gaurav Sinha <39692417+gaurav137@users.noreply.github.com> Date: Thu, 19 Jun 2025 12:13:53 +0000 Subject: [PATCH 1/2] Az cli v 2.74 support --- Program.cs | 15 +++++++++++++++ README.md | 4 +++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Program.cs b/Program.cs index 1235c02..312ef1e 100644 --- a/Program.cs +++ b/Program.cs @@ -47,6 +47,21 @@ return Results.Ok(result); }); +// az cli v2.74+: Can be consumed by "az login --identity" by specifying AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable to this action URL +// https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/d49296c1b2a929a6ab11380e237daa89a5298512/msal/managed_identity.py#L473 +app.MapGet("/metadata/identity/oauth2/token", async (HttpContext context, string resource, CancellationToken cancellationToken) => +{ + var token = await tokenCredential.GetTokenAsync(new TokenRequestContext([resource]), cancellationToken); + var result = new JsonObject() + { + ["access_token"] = token.Token, + ["expires_in"] = (token.ExpiresOn - DateTimeOffset.UtcNow).TotalSeconds, + ["token_type"] = "Bearer", + ["resource"] = resource, + }; + return Results.Ok(result); +}); + app.Run(); [JsonSourceGenerationOptions] diff --git a/README.md b/README.md index b8647f0..64d482c 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,9 @@ Then, we must add two environment variables to each service: With these two environment variables, any service that uses `DefaultAzureCredential` or `ManagedIdentityCredential` will now call the proxy when Azure credentials are needed. This is because one of `ManagedIdentityCredential`'s [source implementations](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Identity_1.6.0/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs) explicitly looks for both of these environment variables if they are specified. > [!NOTE] -> If you are using using `az cli` in your service and your service wants to do `az login --identity` then specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`. +> If you are using `az cli` in your service and your service wants to do `az login --identity` then specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`. +> For `az cli` v2.74 and above: +> Specify `AZURE_POD_IDENTITY_AUTHORITY_HOST`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080` with no trailing path like `/token`) environment variable instead. With this proxy, Dockerfiles can remain untouched and production-ready. The proxy can easily be added to an existing `docker-compose.yml`, and the environment variables are also easy to add. Now, the containerized environment looks like this: From fe1ff88c7518d7365bc607910e74096c2212a325 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha <39692417+gaurav137@users.noreply.github.com> Date: Fri, 27 Jun 2025 01:48:21 +0000 Subject: [PATCH 2/2] Updates --- Program.cs | 19 +++---------------- README.md | 6 +++--- 2 files changed, 6 insertions(+), 19 deletions(-) diff --git a/Program.cs b/Program.cs index 312ef1e..2c1f062 100644 --- a/Program.cs +++ b/Program.cs @@ -15,6 +15,8 @@ // Can be consumed by ManagedIdentityCredential by specifying IDENTITY_ENDPOINT and IMDS_ENDPOINT environment variables to this action URL // See https://github.com/Azure/azure-sdk-for-net/blob/Azure.Identity_1.8.0/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs +// For supporting "az login --identity" (version >= 2.74) this can be consumed by specifying IDENTITY_ENDPOINT and IDENTITY_HEADER environment +// variables. See https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/b1d8cd71145a8b1889b490f9b0dfbe4b1ac3a7f1/msal/managed_identity.py#L437 app.MapGet("/token", async (HttpContext context, string resource, CancellationToken cancellationToken) => { var token = await tokenCredential.GetTokenAsync(new TokenRequestContext([resource]), cancellationToken); @@ -29,7 +31,7 @@ return Results.Ok(result); }); -// Can be consumed by "az login --identity" by specifying MSI_ENDPOINT environment variable to this action URL +// Can be consumed by "az login --identity" (version < 2.74) by specifying MSI_ENDPOINT environment variable to this action URL // https://github.com/Azure/msrestazure-for-python/blob/master/msrestazure/azure_active_directory.py#L474 app.MapPost("/token", async (HttpContext context, HttpRequest request, CancellationToken cancellationToken) => { @@ -47,21 +49,6 @@ return Results.Ok(result); }); -// az cli v2.74+: Can be consumed by "az login --identity" by specifying AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable to this action URL -// https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/d49296c1b2a929a6ab11380e237daa89a5298512/msal/managed_identity.py#L473 -app.MapGet("/metadata/identity/oauth2/token", async (HttpContext context, string resource, CancellationToken cancellationToken) => -{ - var token = await tokenCredential.GetTokenAsync(new TokenRequestContext([resource]), cancellationToken); - var result = new JsonObject() - { - ["access_token"] = token.Token, - ["expires_in"] = (token.ExpiresOn - DateTimeOffset.UtcNow).TotalSeconds, - ["token_type"] = "Bearer", - ["resource"] = resource, - }; - return Results.Ok(result); -}); - app.Run(); [JsonSourceGenerationOptions] diff --git a/README.md b/README.md index 64d482c..4dc6df4 100644 --- a/README.md +++ b/README.md @@ -70,9 +70,9 @@ Then, we must add two environment variables to each service: With these two environment variables, any service that uses `DefaultAzureCredential` or `ManagedIdentityCredential` will now call the proxy when Azure credentials are needed. This is because one of `ManagedIdentityCredential`'s [source implementations](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Identity_1.6.0/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs) explicitly looks for both of these environment variables if they are specified. > [!NOTE] -> If you are using `az cli` in your service and your service wants to do `az login --identity` then specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`. -> For `az cli` v2.74 and above: -> Specify `AZURE_POD_IDENTITY_AUTHORITY_HOST`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080` with no trailing path like `/token`) environment variable instead. +> If you are using `az cli` in your service and your service wants to do `az login --identity` then: +> For `az cli` version < 2.74: specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`. +> For `az cli` v2.74 and above: Specify `IDENTITY_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead along with `IDENTITY_HEADER`: an arbitrary but mandatory value (e.g., "random-placeholder"). With this proxy, Dockerfiles can remain untouched and production-ready. The proxy can easily be added to an existing `docker-compose.yml`, and the environment variables are also easy to add. Now, the containerized environment looks like this: