/// <summary> /// Gets a valid token using a Service Principal or a Managed Identity /// </summary> public static async Task <TokenCredentials> GetTokenCredentialsAsync(string resource, string tenantId, AzureAuthenticationInfo authenticationInfo, System.Uri azureAuthorityHost) { Guard.NotNullOrWhitespace(resource, nameof(resource)); Guard.NotNullOrWhitespace(tenantId, nameof(tenantId)); Guard.NotNull(authenticationInfo, nameof(authenticationInfo)); TokenCredential tokenCredential; var tokenCredentialOptions = new TokenCredentialOptions { AuthorityHost = azureAuthorityHost }; switch (authenticationInfo.Mode) { case AuthenticationMode.ServicePrincipal: tokenCredential = new ClientSecretCredential(tenantId, authenticationInfo.IdentityId, authenticationInfo.Secret, tokenCredentialOptions); break; case AuthenticationMode.UserAssignedManagedIdentity: tokenCredential = new ManagedIdentityCredential(authenticationInfo.IdentityId, tokenCredentialOptions); break; case AuthenticationMode.SystemAssignedManagedIdentity: tokenCredential = new ManagedIdentityCredential(options: tokenCredentialOptions); break; default: tokenCredential = new DefaultAzureCredential(); break; } // When you reaching an endpoint, using an impersonate identity, the only endpoint available is always '/.default' // MSAL add the './default' string to your resource request behind the scene. // We have to do it here, since we are at a lower level(and we are not using MSAL; by the way) if (!resource.ToLowerInvariant().EndsWith("/.default")) { if (!resource.EndsWith("/")) { resource += "/"; } resource += ".default"; } var accessToken = await tokenCredential.GetTokenAsync(new TokenRequestContext(new[] { resource }), default); return(new TokenCredentials(accessToken.Token)); }
private static AzureCredentials GetServicePrincipleCredentials(AzureEnvironment azureCloud, string tenantId, AzureAuthenticationInfo azureAuthenticationInfo, AzureCredentialsFactory azureCredentialsFactory) { if (string.IsNullOrWhiteSpace(azureAuthenticationInfo.IdentityId)) { throw new AuthenticationException("No identity was configured for service principle authentication"); } if (string.IsNullOrWhiteSpace(azureAuthenticationInfo.Secret)) { throw new AuthenticationException("No identity was configured for service principle authentication"); } return(azureCredentialsFactory.FromServicePrincipal(azureAuthenticationInfo.IdentityId, azureAuthenticationInfo.Secret, tenantId, azureCloud)); }
private static AzureCredentials GetUserAssignedManagedIdentityCredentials(AzureEnvironment azureCloud, string tenantId, AzureAuthenticationInfo azureAuthenticationInfo, AzureCredentialsFactory azureCredentialsFactory) { if (string.IsNullOrWhiteSpace(azureAuthenticationInfo.IdentityId)) { throw new AuthenticationException("No identity was configured for user-assigned managed identity"); } return(azureCredentialsFactory.FromUserAssigedManagedServiceIdentity(azureAuthenticationInfo.IdentityId, MSIResourceType.VirtualMachine, azureCloud, tenantId)); }
public static AzureCredentials CreateAzureAuthentication(AzureEnvironment azureCloud, string tenantId, AzureAuthenticationInfo azureAuthenticationInfo, AzureCredentialsFactory azureCredentialsFactory) { AzureCredentials credentials; switch (azureAuthenticationInfo.Mode) { case AuthenticationMode.ServicePrincipal: credentials = GetServicePrincipleCredentials(azureCloud, tenantId, azureAuthenticationInfo, azureCredentialsFactory); break; case AuthenticationMode.UserAssignedManagedIdentity: credentials = GetUserAssignedManagedIdentityCredentials(azureCloud, tenantId, azureAuthenticationInfo, azureCredentialsFactory); break; default: credentials = GetSystemAssignedManagedIdentityCredentials(azureCloud, tenantId, azureCredentialsFactory); break; } return(credentials); }