Skip to content

fix: Replace DefaultAzureCredential with ManagedIdentityCredential for production-safe authentication#1876

Merged
Prajwal-Microsoft merged 3 commits intomainfrom
sfi-cred-change
Aug 1, 2025
Merged

fix: Replace DefaultAzureCredential with ManagedIdentityCredential for production-safe authentication#1876
Prajwal-Microsoft merged 3 commits intomainfrom
sfi-cred-change

Conversation

@Prasanjeet-Microsoft
Copy link
Copy Markdown
Contributor

@Prasanjeet-Microsoft Prasanjeet-Microsoft commented Aug 1, 2025

Purpose

This pull request introduces a significant refactor to replace the use of DefaultAzureCredential with a new utility function, get_azure_credential, which selects the appropriate Azure credential based on the application environment (dev or prod). Additionally, a new environment variable APP_ENV has been added to .env.sample to support this functionality. Below are the key changes grouped by theme:

Credential Management Refactor:

  • Introduced get_azure_credential in azure_credential_utils.py, which dynamically selects between DefaultAzureCredential and ManagedIdentityCredential based on the APP_ENV variable.
  • Updated all instances of DefaultAzureCredential across multiple files to use get_azure_credential, ensuring consistent credential management. For example:

Environment Variable Addition:

  • Added APP_ENV to .env.sample to specify the application environment (e.g., dev or prod). This variable is used to determine the credential type in get_azure_credential.

Bug Fix:

  • Corrected a typo in env_helper.py by changing SEMENTIC_KERNEL_SYSTEM_PROMPT to SEMANTIC_KERNEL_SYSTEM_PROMPT.

Documentation and Comments:

  • Updated comments and docstrings across the codebase to reflect the use of get_azure_credential instead of DefaultAzureCredential. For example, in env_helper.py.

This refactor improves the flexibility and security of credential management by dynamically adapting to different environments, while maintaining backward compatibility for existing functionality.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install

What to Check

Verify that the following are valid:

  • All usages of DefaultAzureCredential replaced
  • Authentication logic tested locally or in a dev environment
  • Regression tested (i.e., existing functionality relying on authentication continues to work)
  • Confirmed no hardcoded secrets or fallback dev credentials remain

@Prajwal-Microsoft Prajwal-Microsoft self-requested a review August 1, 2025 14:11
@Prajwal-Microsoft Prajwal-Microsoft added this pull request to the merge queue Aug 1, 2025
Merged via the queue into main with commit 6eafdfa Aug 1, 2025
14 checks passed
@Prajwal-Microsoft Prajwal-Microsoft deleted the sfi-cred-change branch August 12, 2025 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Prajwal-Microsoft Prajwal-Microsoft Prajwal-Microsoft approved these changes

@Vinay-Microsoft Vinay-Microsoft Vinay-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Prasanjeet-Microsoft @Prajwal-Microsoft @Vinay-Microsoft