Add support for AZURE_CLIENT_SEND_CERTIFICATE_CHAIN
nagworld9 opened this issue · 2 comments
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Today we use DefaultAzureCredential via env vars for service principal with secret. As part of security sprint, due to limitations of MSI option, we are going with app with Cert but when cert rotated, app needs to update with new cert. This is no good, so we are configuring the app with SN+I, so that any cert created with same SN+I will work for authentication. But we can't use this option with DefaultAzureCredential via env vars. As we could define these three AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_CERTIFICATE_PATH in env but no way to tell to authenticate with SN+I because of that DefaultAzureCredential for certificate credential authentication not working. Looks like callers needs to call different function for this option and callers needs to maintain all that logic to call different functions. As DefaultAzureCredential already had most of that abstraction, I feel adding AZURE_CLIENT_SEND_CERTIFICATE_CHAIN or something like that to env variables would be a complete solution in certificate credential authentication space and also .NET sdk already supported this way https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet
This is blocking the security sprint work item as we want to get rid of secrets for app
Describe the solution you'd like
A clear and concise description of what you want to happen.
Support to read AZURE_CLIENT_SEND_CERTIFICATE_CHAIN value from env vars
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Thank you for your feedback. Tagging and routing to the team member best able to assist.
Thanks for the feedback, @nagworld9.
@xiangyan99, looks like there is a gap in some of the Identity SDKs regarding support for this environment variable, as it seems just Go and .NET support it. Were there any blockers to supporting this before?