chore: add support to use ManagedIdentityCredential when clientID is configured

mittachaitu · mittachaitu · commit dca2f1b20c38 · 2026-05-12T17:53:06.000Z
This commit add supports for ManagedIdentityCredential
when AZURE_CLIENT_ID is configured

Signed-off-by: Mitta Sai Chaithanya &lt;mittas@microsoft.com&gt;
diff --git a/cpp/azure/client/client.cc b/cpp/azure/client/client.cc
@@ -11,6 +11,7 @@
 
 #include <azure/storage/blobs.hpp>
 #include <azure/identity/default_azure_credential.hpp>
+#include <azure/identity/managed_identity_credential.hpp>
 #include <azure/storage/common/storage_credential.hpp>
 #include <azure/core/exception.hpp>
 
@@ -34,6 +35,7 @@ AzureClient::AzureClient(const common::backend_api::ObjectClientConfig_t& config
     // ClientConfiguration reads environment variables
     _account_name = _client_config.account_name;
     _account_key = _client_config.account_key;
+    _client_id = _client_config.client_id;
 #ifdef AZURITE_TESTING
     _connection_string = _client_config.connection_string;
 #endif
@@ -61,6 +63,10 @@ AzureClient::AzureClient(const common::backend_api::ObjectClientConfig_t& config
                 _connection_string = std::string(value);
             }
 #endif
+            else if (strcmp(key, "client_id") == 0)
+            {
+                _client_id = std::string(value);
+            }
             else
             {
                 LOG(WARNING) << "Unknown Azure parameter: " << key;
@@ -101,15 +107,28 @@ AzureClient::AzureClient(const common::backend_api::ObjectClientConfig_t& config
                 _blob_service_client = std::make_shared<BlobServiceClient>(url, credential, options);
                 LOG(DEBUG) << "Azure client initialized with StorageSharedKeyCredential for account: " << _account_name.value();
             } else {
-                // Use DefaultAzureCredential (managed identity, Azure CLI, environment variables, etc.)
-                // Reference: https://learn.microsoft.com/en-us/azure/developer/cpp/sdk/authentication
                 std::string url = "https://" + _account_name.value() + ".blob.core.windows.net";
-                // Share a single DefaultAzureCredential across all clients in the process to better
-                // utilize token caching and reduce chances of overwhelming authentication sources
-                // (e.g., IMDS) which can result in fatal throttling errors.
-                static auto credential = std::make_shared<Azure::Identity::DefaultAzureCredential>();
-                _blob_service_client = std::make_shared<BlobServiceClient>(url, credential, options);
-                LOG(DEBUG) << "Azure client initialized with DefaultAzureCredential for account: " << _account_name.value();
+                std::shared_ptr<Azure::Core::Credentials::TokenCredential> credential;
+
+                // Try DefaultAzureCredential first, fall back to ManagedIdentityCredential
+                // with explicit client_id (AZURE_CLIENT_ID is injected by webhooks into the pod)
+                try {
+                    LOG(DEBUG) << "Trying DefaultAzureCredential";
+                    static auto default_cred = std::make_shared<Azure::Identity::DefaultAzureCredential>();
+                    credential = default_cred;
+                    _blob_service_client = std::make_shared<BlobServiceClient>(url, credential, options);
+                    LOG(DEBUG) << "Azure client initialized with DefaultAzureCredential for account: " << _account_name.value();
+                } catch (const std::exception& e) {
+                    LOG(WARNING) << "DefaultAzureCredential failed: " << e.what();
+                    if (_client_id.has_value()) {
+                        LOG(DEBUG) << "Falling back to ManagedIdentityCredential with client_id: " << _client_id.value();
+                        credential = std::make_shared<Azure::Identity::ManagedIdentityCredential>(_client_id.value());
+                        _blob_service_client = std::make_shared<BlobServiceClient>(url, credential, options);
+                        LOG(DEBUG) << "Azure client initialized with ManagedIdentityCredential for account: " << _account_name.value();
+                    } else {
+                        throw;
+                    }
+                }
             }
         } else {
 #ifdef AZURITE_TESTING
diff --git a/cpp/azure/client/client.h b/cpp/azure/client/client.h
@@ -47,6 +47,7 @@ struct AzureClient : common::IClient
     // Azure credentials
     std::optional<std::string> _account_name;
     std::optional<std::string> _account_key;
+    std::optional<std::string> _client_id;
 #ifdef AZURITE_TESTING
     std::optional<std::string> _connection_string;
 #endif
diff --git a/cpp/azure/client_configuration/client_configuration.cc b/cpp/azure/client_configuration/client_configuration.cc
@@ -29,18 +29,20 @@ ClientConfiguration::ClientConfiguration()
     }
 
     // Account name configuration from environment variable
-    // Authentication uses DefaultAzureCredential which supports:
-    // - Environment variables (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET)
-    // - Managed Identity
-    // - Azure CLI
-    // - Visual Studio Code
-    // Reference: https://learn.microsoft.com/en-us/azure/developer/cpp/sdk/authentication
     const auto acct_name = utils::getenv<std::string>("AZURE_STORAGE_ACCOUNT_NAME", "");
     if (!acct_name.empty()) {
         LOG(DEBUG) << "Azure Storage account name: " << acct_name;
         account_name = acct_name;
     }
 
+    // Client ID for user-assigned managed identity
+    // When set, DefaultAzureCredential will target this specific managed identity
+    const auto cid = utils::getenv<std::string>("AZURE_CLIENT_ID", "");
+    if (!cid.empty()) {
+        LOG(DEBUG) << "Using AZURE_CLIENT_ID for managed identity: " << cid;
+        client_id = cid;
+    }
+
     unsigned nprocs = std::thread::hardware_concurrency();
     LOG(SPAM) << "Hardware concurrency detected: " << nprocs;
     unsigned default_max_concurrency = nprocs == 0 ? 8U : 1U;
diff --git a/cpp/azure/client_configuration/client_configuration.h b/cpp/azure/client_configuration/client_configuration.h
@@ -11,6 +11,8 @@ struct ClientConfiguration
     // Azure client configuration options
     std::optional<std::string> account_name;
     std::optional<std::string> account_key;
+    // Client ID for user-assigned managed identity
+    std::optional<std::string> client_id;
 #ifdef AZURITE_TESTING
     // Connection string is only available for Azurite/local testing
     std::optional<std::string> connection_string;
