Skip to content

fix: Replace DefaultAzureCredential with ManagedIdentityCredential for production-safe authentication #1876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 1, 2025
Merged

fix: Replace DefaultAzureCredential with ManagedIdentityCredential for production-safe authentication #1876

merged 3 commits into from
Aug 1, 2025

Conversation

Prasanjeet-Microsoft
Copy link
Contributor

Purpose

This pull request introduces a significant refactor to replace the use of DefaultAzureCredential with a new utility function, get_azure_credential, which selects the appropriate Azure credential based on the application environment (dev or prod). Additionally, a new environment variable APP_ENV has been added to .env.sample to support this functionality. Below are the key changes grouped by theme:

Credential Management Refactor:

  • Introduced get_azure_credential in azure_credential_utils.py, which dynamically selects between DefaultAzureCredential and ManagedIdentityCredential based on the APP_ENV variable.
  • Updated all instances of DefaultAzureCredential across multiple files to use get_azure_credential, ensuring consistent credential management. For example:

Environment Variable Addition:

  • Added APP_ENV to .env.sample to specify the application environment (e.g., dev or prod). This variable is used to determine the credential type in get_azure_credential.

Bug Fix:

  • Corrected a typo in env_helper.py by changing SEMENTIC_KERNEL_SYSTEM_PROMPT to SEMANTIC_KERNEL_SYSTEM_PROMPT.

Documentation and Comments:

  • Updated comments and docstrings across the codebase to reflect the use of get_azure_credential instead of DefaultAzureCredential. For example, in env_helper.py.

This refactor improves the flexibility and security of credential management by dynamically adapting to different environments, while maintaining backward compatibility for existing functionality.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install

What to Check

Verify that the following are valid:

  • All usages of DefaultAzureCredential replaced
  • Authentication logic tested locally or in a dev environment
  • Regression tested (i.e., existing functionality relying on authentication continues to work)
  • Confirmed no hardcoded secrets or fallback dev credentials remain

@Prajwal-Microsoft Prajwal-Microsoft self-requested a review August 1, 2025 14:11
@Prajwal-Microsoft Prajwal-Microsoft added this pull request to the merge queue Aug 1, 2025
Merged via the queue into main with commit 6eafdfa Aug 1, 2025
14 checks passed
@Prajwal-Microsoft Prajwal-Microsoft deleted the sfi-cred-change branch August 12, 2025 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Prajwal-Microsoft Prajwal-Microsoft Prajwal-Microsoft approved these changes

@Vinay-Microsoft Vinay-Microsoft Vinay-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Prasanjeet-Microsoft @Prajwal-Microsoft @Vinay-Microsoft