Prioritize AzureCliCredential for secret-manager

dotnet · Mar 1, 2024 · c411d0a · c411d0a
1 parent b5ecc31
commit c411d0a
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 2 deletions.
diff --git a/src/SecretManager/Microsoft.DncEng.SecretManager/ITokenCredentialProvider.cs b/src/SecretManager/Microsoft.DncEng.SecretManager/ITokenCredentialProvider.cs
@@ -0,0 +1,9 @@
+using System.Threading.Tasks;
+using Azure.Core;
+
+namespace Microsoft.DncEng.SecretManager;
+
+public interface ITokenCredentialProvider
+{
+    public Task<TokenCredential> GetCredentialAsync();
+}
diff --git a/src/SecretManager/Microsoft.DncEng.SecretManager/Program.cs b/src/SecretManager/Microsoft.DncEng.SecretManager/Program.cs
@@ -14,6 +14,7 @@ public static Task<int> Main(string[] args)
 
     protected override void ConfigureServices(IServiceCollection services)
     {
+        services.AddSingleton<ITokenCredentialProvider, SecretManagerCredentialProvider>();
         services.AddSingleton<SecretTypeRegistry>();
         services.AddSingleton<StorageLocationTypeRegistry>();
         services.AddSingleton<SettingsFileValidator>();

diff --git a/src/SecretManager/Microsoft.DncEng.SecretManager/SecretManagerCredentialProvider.cs b/src/SecretManager/Microsoft.DncEng.SecretManager/SecretManagerCredentialProvider.cs
@@ -0,0 +1,22 @@
+using System;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Identity;
+
+namespace Microsoft.DncEng.SecretManager;
+
+public sealed class SecretManagerCredentialProvider : ITokenCredentialProvider
+{
+    // Expect AzureCliCredential for CI and local dev environments. 
+    // Use InteractiveBrowserCredential as a fallback for local dev environments.
+    private readonly Lazy<TokenCredential> _credential = new(() =>
+        new ChainedTokenCredential(
+            new AzureCliCredential(new AzureCliCredentialOptions { TenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47" }),
+            new InteractiveBrowserCredential(new InteractiveBrowserCredentialOptions() { TenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47" })
+        ));
+
+    public Task<TokenCredential> GetCredentialAsync()
+    {
+        return Task.FromResult(_credential.Value);
+    }
+}
diff --git a/src/SecretManager/Microsoft.DncEng.SecretManager/StorageTypes/AzureKeyVault.cs b/src/SecretManager/Microsoft.DncEng.SecretManager/StorageTypes/AzureKeyVault.cs
@@ -22,10 +22,10 @@ public class AzureKeyVaultParameters
 public class AzureKeyVault : StorageLocationType<AzureKeyVaultParameters>
 {
     public const string NextRotationOnTag = "next-rotation-on";
-    private readonly TokenCredentialProvider _tokenCredentialProvider;
+    private readonly ITokenCredentialProvider _tokenCredentialProvider;
     private readonly IConsole _console;
 
-    public AzureKeyVault(TokenCredentialProvider tokenCredentialProvider, IConsole console)
+    public AzureKeyVault(ITokenCredentialProvider tokenCredentialProvider, IConsole console)
     {
         _tokenCredentialProvider = tokenCredentialProvider;
         _console = console;