Merge pull request #678 from solliancenet/cj-fix-aks-managed-identity…

…-auth Fix AKS managed identity auth
solliancenet · Feb 27, 2024 · 5bb59c0 · 5bb59c0
2 parents 6a0aa7b + 34a80c1
commit 5bb59c0
Show file tree

Hide file tree

Showing 20 changed files with 57 additions and 38 deletions.
diff --git a/src/dotnet/AgentFactoryAPI/Program.cs b/src/dotnet/AgentFactoryAPI/Program.cs
@@ -51,7 +51,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_AgentFactory);
@@ -61,6 +61,8 @@ public static void Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add services to the container.
             // Add the OpenTelemetry telemetry service and send telemetry data to Azure Monitor.
             builder.Services.AddOpenTelemetry().UseAzureMonitor(options =>

diff --git a/src/dotnet/Common/Authentication/DefaultAuthentication.cs b/src/dotnet/Common/Authentication/DefaultAuthentication.cs
@@ -1,5 +1,6 @@
 using Azure.Core;
 using Azure.Identity;
+using FoundationaLLM.Common.Constants;
 
 namespace FoundationaLLM.Common.Authentication
 {
@@ -9,21 +10,16 @@ namespace FoundationaLLM.Common.Authentication
     public static class DefaultAuthentication
     {
         /// <summary>
-        /// The default Azure credential to use for authentication.
+        /// Indicates whether the environment we run in is production or not.
         /// </summary>
-        public static TokenCredential GetAzureCredential(bool development = false) => new DefaultAzureCredential(new DefaultAzureCredentialOptions
-        {
-            ExcludeAzureDeveloperCliCredential = true,
-            ExcludeAzurePowerShellCredential = true,
-            ExcludeEnvironmentCredential = true,
-            ExcludeInteractiveBrowserCredential = true,
-            ExcludeSharedTokenCacheCredential = true,
-            ExcludeVisualStudioCodeCredential = true,
-            ExcludeVisualStudioCredential = true,
-            ExcludeWorkloadIdentityCredential = true,
+        public static bool Production {  get; set; }
 
-            ExcludeAzureCliCredential = !development,
-            ExcludeManagedIdentityCredential = development
-        });
+        /// <summary>
+        /// The default Azure credential to use for authentication.
+        /// </summary>
+        public static TokenCredential GetAzureCredential() =>
+            Production
+            ? new ManagedIdentityCredential(Environment.GetEnvironmentVariable(EnvironmentVariables.AzureClientId))
+            : new AzureCliCredential();
     }
 }
diff --git a/src/dotnet/Common/Constants/EnvironmentVariables.cs b/src/dotnet/Common/Constants/EnvironmentVariables.cs
@@ -11,6 +11,11 @@ namespace FoundationaLLM.Common.Constants
     /// </summary>
     public static class EnvironmentVariables
     {
+        /// <summary>
+        /// The client id of the user assigned managed identity.
+        /// </summary>
+        public const string AzureClientId = "AZURE_CLIENT_ID";
+
         /// <summary>
         /// The Azure Container App or Azure Kubernetes Service hostname.
         /// </summary>

diff --git a/src/dotnet/Common/Services/Azure/AzureResourceManagerService.cs b/src/dotnet/Common/Services/Azure/AzureResourceManagerService.cs
@@ -17,14 +17,11 @@ namespace FoundationaLLM.Common.Services.Azure
     /// <summary>
     /// Provides services to interact with the Azure Resource Manager (ARM) infrastructure.
     /// </summary>
-    /// <param name="environment">The <see cref="IHostEnvironment"/> providing details about the environment.</param>
     /// <param name="logger">The logger used for logging.</param>
     public class AzureResourceManagerService(
-        IHostEnvironment environment,
         ILogger<AzureResourceManagerService> logger) : IAzureResourceManagerService
     {
-        private readonly ArmClient _armClient = new(DefaultAuthentication.GetAzureCredential(
-            environment.IsDevelopment()));
+        private readonly ArmClient _armClient = new(DefaultAuthentication.GetAzureCredential());
         private readonly ILogger<AzureResourceManagerService> _logger = logger;
 
         /// <inheritdoc/>

diff --git a/src/dotnet/Common/Services/Events/AzureEventGridEventService.cs b/src/dotnet/Common/Services/Events/AzureEventGridEventService.cs
@@ -1,6 +1,7 @@
 using Azure;
 using Azure.Identity;
 using Azure.Messaging.EventGrid.Namespaces;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Constants;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
@@ -331,7 +332,7 @@ private void ValidateAPIKey(string? value)
             try
             {
                 ValidateEndpoint(_settings.Endpoint);
-                client = new EventGridClient(new Uri(_settings.Endpoint!), new DefaultAzureCredential());
+                client = new EventGridClient(new Uri(_settings.Endpoint!), DefaultAuthentication.GetAzureCredential());
             }
             catch (Exception ex)
             {

diff --git a/src/dotnet/Common/Services/Storage/BlobStorageService.cs b/src/dotnet/Common/Services/Storage/BlobStorageService.cs
@@ -4,6 +4,7 @@
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
 using Azure.Storage.Blobs.Specialized;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Extensions;
 using FoundationaLLM.Common.Interfaces;
@@ -169,6 +170,6 @@ protected override void CreateClientFromConnectionString(string connectionString
         protected override void CreateClientFromIdentity(string accountName) =>
             _blobServiceClient = new BlobServiceClient(
                 new Uri($"https://{accountName}.dfs.core.windows.net"),
-                new DefaultAzureCredential());
+                DefaultAuthentication.GetAzureCredential());
     }
 }
diff --git a/src/dotnet/Common/Services/Storage/DataLakeStorageService.cs b/src/dotnet/Common/Services/Storage/DataLakeStorageService.cs
@@ -2,6 +2,7 @@
 using Azure.Identity;
 using Azure.Storage;
 using Azure.Storage.Files.DataLake;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
 using FoundationaLLM.Common.Models.Configuration.Storage;
@@ -112,6 +113,6 @@ protected override void CreateClientFromConnectionString(string connectionString
         protected override void CreateClientFromIdentity(string accountName) =>
             _dataLakeClient = new DataLakeServiceClient(
                 new Uri($"https://{accountName}.dfs.core.windows.net"),
-                new DefaultAzureCredential());
+                DefaultAuthentication.GetAzureCredential());
     }
 }
diff --git a/src/dotnet/Configuration/Services/DependencyInjection.cs b/src/dotnet/Configuration/Services/DependencyInjection.cs
@@ -33,8 +33,7 @@ public static void AddConfigurationResourceProvider(this IHostApplicationBuilder
             {
                 var keyVaultUri = builder.Configuration[AppConfigurationKeys.FoundationaLLM_Configuration_KeyVaultURI];
                 clientBuilder.AddSecretClient(new Uri(keyVaultUri!))
-                    .WithCredential(DefaultAuthentication.GetAzureCredential(
-                        builder.Environment.IsDevelopment()));
+                    .WithCredential(DefaultAuthentication.GetAzureCredential());
                 clientBuilder.AddConfigurationClient(
                     builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
             });

diff --git a/src/dotnet/CoreAPI/Program.cs b/src/dotnet/CoreAPI/Program.cs
@@ -47,7 +47,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_CosmosDB);
@@ -58,7 +58,9 @@ public static void Main(string[] args)
             });
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
-
+
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             var allowAllCorsOrigins = "AllowAllOrigins";
             builder.Services.AddCors(policyBuilder =>
             {

diff --git a/src/dotnet/CoreWorker/Program.cs b/src/dotnet/CoreWorker/Program.cs
@@ -1,4 +1,5 @@
 using Azure.Identity;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Constants;
 using FoundationaLLM.Core.Interfaces;
 using FoundationaLLM.Core.Models.Configuration;
@@ -16,7 +17,7 @@
 
     options.ConfigureKeyVault(options =>
     {
-        options.SetCredential(new DefaultAzureCredential());
+        options.SetCredential(DefaultAuthentication.GetAzureCredential());
     });
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_CoreWorker);
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_CosmosDB);

diff --git a/src/dotnet/GatekeeperAPI/Program.cs b/src/dotnet/GatekeeperAPI/Program.cs
@@ -46,7 +46,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_Refinement);
@@ -55,6 +55,8 @@ public static void Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add services to the container.
             // Add the OpenTelemetry telemetry service and send telemetry data to Azure Monitor.
             builder.Services.AddOpenTelemetry().UseAzureMonitor(options =>

diff --git a/src/dotnet/ManagementAPI/Program.cs b/src/dotnet/ManagementAPI/Program.cs
@@ -51,7 +51,7 @@ public static async Task Main(string[] args)
             builder.Configuration.AddAzureAppConfiguration(options =>
             {
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
-                options.ConfigureKeyVault(options => { options.SetCredential(new DefaultAzureCredential()); });
+                options.ConfigureKeyVault(options => { options.SetCredential(DefaultAuthentication.GetAzureCredential()); });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_Instance);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_CosmosDB);
@@ -67,6 +67,8 @@ public static async Task Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add the Configuration resource provider
             builder.AddConfigurationResourceProvider();
 

diff --git a/src/dotnet/SemanticKernel/Services/AzureAISearchIndexingService.cs b/src/dotnet/SemanticKernel/Services/AzureAISearchIndexingService.cs
@@ -1,4 +1,5 @@
 using Azure.Identity;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
 using FoundationaLLM.Common.Models.TextEmbedding;
@@ -77,7 +78,7 @@ private AzureAISearchMemoryStore CreateMemoryStoreFromAPIKey(string endpoint, st
         /// <param name="endpoint">The endpoint of the Azure AI Search deployment.</param>
         /// <returns>The <see cref="Kernel"/> instance.</returns>
         private AzureAISearchMemoryStore CreateMemoryStoreFromIdentity(string endpoint) =>
-            new(endpoint, new DefaultAzureCredential());
+            new(endpoint, DefaultAuthentication.GetAzureCredential());
 
         private void ValidateEndpoint(string? value)
         {

diff --git a/src/dotnet/SemanticKernel/Services/SemanticKernelTextEmbeddingService.cs b/src/dotnet/SemanticKernel/Services/SemanticKernelTextEmbeddingService.cs
@@ -1,4 +1,5 @@
 using Azure.Identity;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
 using FoundationaLLM.Common.Models.TextEmbedding;
@@ -76,7 +77,7 @@ private Kernel CreateKernelFromAPIKey(string deploymentName, string endpoint, st
         private Kernel CreateKernelFromIdentity(string deploymentName, string endpoint)
         {
             var builder = Kernel.CreateBuilder();
-            builder.AddAzureOpenAITextEmbeddingGeneration(deploymentName, endpoint, new DefaultAzureCredential());
+            builder.AddAzureOpenAITextEmbeddingGeneration(deploymentName, endpoint, DefaultAuthentication.GetAzureCredential());
             return builder.Build();
         }
 

diff --git a/src/dotnet/SemanticKernelAPI/Program.cs b/src/dotnet/SemanticKernelAPI/Program.cs
@@ -38,7 +38,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_DurableSystemPrompt);
@@ -53,6 +53,8 @@ public static void Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add services to the container.
             //builder.Services.AddApplicationInsightsTelemetry();
             builder.Services.AddAuthorization();

diff --git a/src/dotnet/Vectorization/Services/ContentSources/ContentSourceServiceFactory.cs b/src/dotnet/Vectorization/Services/ContentSources/ContentSourceServiceFactory.cs
@@ -8,6 +8,7 @@
 using FoundationaLLM.Vectorization.Models.Resources;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 
 namespace FoundationaLLM.Vectorization.Services.ContentSources

diff --git a/src/dotnet/Vectorization/Services/ContentSources/SharePointOnlineContentSourceService.cs b/src/dotnet/Vectorization/Services/ContentSources/SharePointOnlineContentSourceService.cs
@@ -13,6 +13,7 @@
 using System;
 using PnP.Core.Model.SharePoint;
 using FoundationaLLM.Common.Models.TextEmbedding;
+using FoundationaLLM.Common.Authentication;
 
 namespace FoundationaLLM.Vectorization.Services.ContentSources
 {
@@ -90,11 +91,11 @@ private async Task<X509Certificate2> GetCertificate()
         {
             ValidateSettings();
 
-            var certificateClient = new CertificateClient(new Uri(_settings.KeyVaultURL!), new DefaultAzureCredential());
+            var certificateClient = new CertificateClient(new Uri(_settings.KeyVaultURL!), DefaultAuthentication.GetAzureCredential());
             var certificateWithPolicy = await certificateClient.GetCertificateAsync(_settings.CertificateName);
             var certificateIdentifier = new KeyVaultSecretIdentifier(certificateWithPolicy.Value.SecretId);
 
-            var secretClient = new SecretClient(new Uri(_settings.KeyVaultURL!), new DefaultAzureCredential());
+            var secretClient = new SecretClient(new Uri(_settings.KeyVaultURL!), DefaultAuthentication.GetAzureCredential());
             var secret = await secretClient.GetSecretAsync(certificateIdentifier.Name, certificateIdentifier.Version);
             var secretBytes = Convert.FromBase64String(secret.Value.Value);
 

diff --git a/src/dotnet/VectorizationAPI/Program.cs b/src/dotnet/VectorizationAPI/Program.cs
@@ -33,8 +33,7 @@
     options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
     options.ConfigureKeyVault(options =>
     {
-        options.SetCredential(DefaultAuthentication.GetAzureCredential(
-            builder.Environment.IsDevelopment()));
+        options.SetCredential(DefaultAuthentication.GetAzureCredential());
     });
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_Instance);
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_Vectorization);
@@ -45,6 +44,8 @@
 if (builder.Environment.IsDevelopment())
     builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+DefaultAuthentication.Production = builder.Environment.IsProduction();
+
 // Add the Configuration resource provider
 builder.AddConfigurationResourceProvider();
 

diff --git a/src/dotnet/VectorizationWorker/Program.cs b/src/dotnet/VectorizationWorker/Program.cs
@@ -34,7 +34,7 @@
     options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
     options.ConfigureKeyVault(options =>
     {
-        options.SetCredential(new DefaultAzureCredential());
+        options.SetCredential(DefaultAuthentication.GetAzureCredential());
     });
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_Instance);
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_Vectorization);
@@ -46,6 +46,8 @@
 if (builder.Environment.IsDevelopment())
     builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+DefaultAuthentication.Production = builder.Environment.IsProduction();
+
 // Add the Configuration resource provider
 builder.AddConfigurationResourceProvider();
 

diff --git a/tests/dotnet/SemanticKernel.Tests/Services/AzureAISearchIndexingServiceTests.cs b/tests/dotnet/SemanticKernel.Tests/Services/AzureAISearchIndexingServiceTests.cs
@@ -9,6 +9,7 @@
 using Azure.Search.Documents.Indexes.Models;
 using SemanticKernel.Tests.Models;
 using FoundationaLLM.Common.Models.TextEmbedding;
+using FoundationaLLM.Common.Authentication;
 
 namespace FoundationaLLM.SemanticKernel.Tests.Services
 {
@@ -23,7 +24,7 @@ public AzureAISearchIndexingServiceTests()
             var endpoint = Environment.GetEnvironmentVariable("AzureAISearchIndexingServiceTestsSearchEndpoint") ?? "";
             _searchIndexClient = new SearchIndexClient(
                 new Uri(endpoint),
-                new DefaultAzureCredential()
+                DefaultAuthentication.GetAzureCredential()
             );
             _indexingService = new AzureAISearchIndexingService(
                 Options.Create(