public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
{
string msiEndpoint = EnvironmentVariables.MsiEndpoint;
// if ONLY the env var MSI_ENDPOINT is set the MsiType is CloudShell
if (string.IsNullOrEmpty(msiEndpoint))
{
return(default);
protected AppServiceManagedIdentitySource(CredentialPipeline pipeline, Uri endpoint, string secret,
ManagedIdentityClientOptions options) : base(pipeline)
{
_endpoint = endpoint;
_secret = secret;
_clientId = options.ClientId;
_resourceId = options.ResourceIdentifier?.ToString();
}
private CloudShellManagedIdentitySource(Uri endpoint, ManagedIdentityClientOptions options) : base(options.Pipeline)
{
_endpoint = endpoint;
if (!string.IsNullOrEmpty(options.ClientId) || null != options.ResourceIdentifier)
{
AzureIdentityEventSource.Singleton.UserAssignedManagedIdentityNotSupported("Cloud Shell");
}
}
public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
{
var msiSecret = EnvironmentVariables.MsiSecret;
return(TryValidateEnvVars(EnvironmentVariables.MsiEndpoint, msiSecret, out Uri endpointUri)
? new AppServiceV2017ManagedIdentitySource(options.Pipeline, endpointUri, msiSecret, options)
: null);
}
private static ManagedIdentitySource SelectManagedIdentitySource(ManagedIdentityClientOptions options)
{
return(AppServiceV2017ManagedIdentitySource.TryCreate(options) ??
CloudShellManagedIdentitySource.TryCreate(options) ??
AzureArcManagedIdentitySource.TryCreate(options) ??
ServiceFabricManagedIdentitySource.TryCreate(options) ??
TokenExchangeManagedIdentitySource.TryCreate(options) ??
new ImdsManagedIdentitySource(options));
}
public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
{
string msiEndpoint = EnvironmentVariables.MsiEndpoint;
string msiSecret = EnvironmentVariables.MsiSecret;
// if BOTH the env vars MSI_ENDPOINT and MSI_SECRET are set the MsiType is AppService
if (string.IsNullOrEmpty(msiEndpoint) || string.IsNullOrEmpty(msiSecret))
{
return(default);
public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
{
string identityEndpoint = EnvironmentVariables.IdentityEndpoint;
string imdsEndpoint = EnvironmentVariables.ImdsEndpoint;
// if BOTH the env vars IDENTITY_ENDPOINT and IMDS_ENDPOINT are set the MsiType is Azure Arc
if (string.IsNullOrEmpty(identityEndpoint) || string.IsNullOrEmpty(imdsEndpoint))
{
return(default);
public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
{
string tokenFilePath = EnvironmentVariables.AzureFederatedTokenFile;
string tenantId = EnvironmentVariables.TenantId;
string clientId = options.ClientId ?? EnvironmentVariables.ClientId;
if (string.IsNullOrEmpty(tokenFilePath) || string.IsNullOrEmpty(tenantId) || string.IsNullOrEmpty(clientId))
{
return(default);
public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
{
string identityEndpoint = EnvironmentVariables.IdentityEndpoint;
string identityHeader = EnvironmentVariables.IdentityHeader;
string identityServerThumbprint = EnvironmentVariables.IdentityServerThumbprint;
if (string.IsNullOrEmpty(identityEndpoint) || string.IsNullOrEmpty(identityHeader) || string.IsNullOrEmpty(identityServerThumbprint))
{
return(default);
public ManagedIdentityClient(ManagedIdentityClientOptions options)
{
if (options.ClientId != null && options.ResourceIdentifier != null)
{
throw new ArgumentException(
$"{nameof(ManagedIdentityClientOptions)} cannot specify both {nameof(options.ResourceIdentifier)} and {nameof(options.ClientId)}.");
}
ClientId = options.ClientId;
Pipeline = options.Pipeline;
_identitySource = new Lazy <ManagedIdentitySource>(() => SelectManagedIdentitySource(options));
}
public static async ValueTask <ManagedIdentitySource> TryCreateAsync(ManagedIdentityClientOptions options, bool async, CancellationToken cancellationToken)
{
// if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
if (!string.IsNullOrEmpty(EnvironmentVariables.PodIdentityEndpoint))
{
var builder = new UriBuilder(EnvironmentVariables.PodIdentityEndpoint);
builder.Path = imddsTokenPath;
return(new ImdsManagedIdentitySource(options.Pipeline, options.ClientId, builder.Uri));
}
AzureIdentityEventSource.Singleton.ProbeImdsEndpoint(s_imdsEndpoint);
bool available;
// try to create a TCP connection to the IMDS IP address. If the connection can be established
// we assume that IMDS is available. If connecting times out or fails to connect assume that
// IMDS is not available in this environment.
try
{
using var client = new TcpClient();
Task connectTask = client.ConnectAsync(s_imdsHostIp, s_imdsPort);
if (async)
{
using var cts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
cts.CancelAfter(ImdsAvailableTimeoutMs);
await connectTask.AwaitWithCancellation(cts.Token);
available = client.Connected;
}
else
{
available = connectTask.Wait(ImdsAvailableTimeoutMs, cancellationToken) && client.Connected;
}
if (available)
{
AzureIdentityEventSource.Singleton.ImdsEndpointFound(s_imdsEndpoint);
}
else
{
AzureIdentityEventSource.Singleton.ImdsEndpointUnavailable(s_imdsEndpoint, "Establishing a connection timed out or failed without exception.");
}
}
catch (Exception e)
{
AzureIdentityEventSource.Singleton.ImdsEndpointUnavailable(s_imdsEndpoint, e);
available = false;
}
return(available ? new ImdsManagedIdentitySource(options.Pipeline, options.ClientId) : default);
internal ImdsManagedIdentitySource(ManagedIdentityClientOptions options) : base(options.Pipeline)
{
_clientId = options.ClientId;
_imdsNetworkTimeout = options.InitialImdsConnectionTimeout;
if (!string.IsNullOrEmpty(EnvironmentVariables.PodIdentityEndpoint))
{
var builder = new UriBuilder(EnvironmentVariables.PodIdentityEndpoint);
builder.Path = imddsTokenPath;
_imdsEndpoint = builder.Uri;
}
else
{
_imdsEndpoint = s_imdsEndpoint;
}
}
public static async ValueTask <ManagedIdentitySource> TryCreateAsync(ManagedIdentityClientOptions options, bool async, CancellationToken cancellationToken)
{
AzureIdentityEventSource.Singleton.ProbeImdsEndpoint(s_imdsEndpoint);
bool available;
// try to create a TCP connection to the IMDS IP address. If the connection can be established
// we assume that IMDS is available. If connecting times out or fails to connect assume that
// IMDS is not available in this environment.
try
{
using var client = new TcpClient();
Task connectTask = client.ConnectAsync(s_imdsHostIp, s_imdsPort);
if (async)
{
using var cts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
cts.CancelAfter(ImdsAvailableTimeoutMs);
await connectTask.AwaitWithCancellation(cts.Token);
available = client.Connected;
}
else
{
available = connectTask.Wait(ImdsAvailableTimeoutMs, cancellationToken) && client.Connected;
}
}
catch
{
available = false;
}
if (available)
{
AzureIdentityEventSource.Singleton.ImdsEndpointFound(s_imdsEndpoint);
}
else
{
AzureIdentityEventSource.Singleton.ImdsEndpointUnavailable(s_imdsEndpoint);
}
return(available ? new ImdsManagedIdentitySource(options.Pipeline, options.ClientId) : default);
public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
{
string msiEndpoint = EnvironmentVariables.MsiEndpoint;
// if ONLY the env var MSI_ENDPOINT is set the MsiType is CloudShell
if (string.IsNullOrEmpty(msiEndpoint))
{
return default;
}
Uri endpointUri;
try
{
endpointUri = new Uri(msiEndpoint);
}
catch (FormatException ex)
{
throw new AuthenticationFailedException(MsiEndpointInvalidUriError, ex);
}
return new CloudShellManagedIdentitySource(endpointUri, options);
}
public ManagedIdentityClient(ManagedIdentityClientOptions options)
{
ClientId = options.ClientId;
Pipeline = options.Pipeline;
_identitySource = new Lazy <ManagedIdentitySource>(() => SelectManagedIdentitySource(options));
}
private AppServiceV2017ManagedIdentitySource(CredentialPipeline pipeline, Uri endpoint, string secret,
ManagedIdentityClientOptions options) : base(pipeline, endpoint, secret, options)
{
}
public ManagedIdentityClient(ManagedIdentityClientOptions options)
{
_options = options;
ClientId = options.ClientId;
Pipeline = options.Pipeline;
}
