Skip to content

Add IsMtlsPopSupportedByHost to ManagedIdentitySourceResult#6026

Open
bgavrilMS wants to merge 2 commits into
bogavril/fix-imds-source-caching-6024from
bogavril/mtls-pop-host-check
Open

Add IsMtlsPopSupportedByHost to ManagedIdentitySourceResult#6026
bgavrilMS wants to merge 2 commits into
bogavril/fix-imds-source-caching-6024from
bogavril/mtls-pop-host-check

Conversation

@bgavrilMS
Copy link
Copy Markdown
Member

@bgavrilMS bgavrilMS commented May 22, 2026

Summary

During IMDS discovery (GetManagedIdentitySourceAsync), after the v1 probe succeeds, fetch compute metadata from /metadata/instance/compute to determine if the host VM supports mTLS PoP.

New public API

IsMtlsPopSupportedByHost is true when:

  • The VM runs Windows (osType == "Windows")
  • AND the VM has a TVM (TrustedLaunch) or CVM (ConfidentialVM) security profile

Returns false when:

  • Compute metadata endpoint returns 404 or is unreachable
  • The VM is Linux
  • The VM has no TVM/CVM security profile
  • Running on net462 (skipped entirely)

Implementation

  • ComputeMetadataResponse (internal) - minimal model for IMDS compute metadata
  • ImdsComputeMetadataManager (internal) - fetches /metadata/instance/compute and evaluates mTLS PoP support
  • Compute metadata is fetched only after a successful v1 probe, and only on non-net462 TFMs

Tests (5 new)

  • Windows + TrustedLaunch -> true
  • Windows + ConfidentialVM -> true
  • Linux + TrustedLaunch -> false
  • Windows + no security profile -> false
  • Compute metadata 404 -> false

All 388 ManagedIdentity tests pass.

bgavrilMS and others added 2 commits May 22, 2026 15:19
@bgavrilMS
Add IsMtlsPopSupportedByHost to ManagedIdentitySourceResult
6e20425 
During IMDS discovery, after the v1 probe succeeds, fetch compute
metadata from /metadata/instance/compute to determine if the host VM
supports mTLS PoP. The flag is true when the VM is Windows and has a
TVM (TrustedLaunch) or CVM (ConfidentialVM) security profile.

- Add internal ComputeMetadataResponse/ComputeSecurityProfile models
- Add ImdsComputeMetadataManager to fetch and evaluate compute metadata
- Add IsMtlsPopSupportedByHost public property on ManagedIdentitySourceResult
- Add 5 tests covering Windows TVM/CVM, Linux, no security profile, 404

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bgavrilMS
Skip compute metadata fetch on net462, return false
85d9352 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bgavrilMS bgavrilMS requested a review from a team as a code owner May 22, 2026 14:40
bgavrilMS
bgavrilMS commented May 22, 2026
View reviewed changes
Comment thread src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsComputeMetadataManager.cs
}
catch (OperationCanceledException)
{
throw;
Copy link
Copy Markdown
Member Author

@bgavrilMS bgavrilMS May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why catch throw?

bgavrilMS
bgavrilMS commented May 22, 2026
View reviewed changes
Comment thread src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsComputeMetadataManager.cs
}
catch (Exception ex)
{
logger.Info($"[Managed Identity] IMDS compute metadata request failed with exception: {ex.Message}");
Copy link
Copy Markdown
Member Author

@bgavrilMS bgavrilMS May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logs it as error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bgavrilMS