From 8fed6341b4f70ff18ee26e4e54c0cfe11283172d Mon Sep 17 00:00:00 2001
From: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Date: Tue, 6 Feb 2024 23:46:05 +0000
Subject: [PATCH] Azure auth: do not use CLI provider by default when running
 in a cloud service

This seems to be causing some issues for customers, and in a cloud service the CLI credentials would not work anyways.

Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
---
 common/authentication/azure/auth.go | 43 +++++++++++++++--------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/common/authentication/azure/auth.go b/common/authentication/azure/auth.go
index 13ac55e6df..98418dc14f 100644
--- a/common/authentication/azure/auth.go
+++ b/common/authentication/azure/auth.go
@@ -143,27 +143,8 @@ func (s EnvironmentSettings) addManagedIdentityProvider(timeout time.Duration, c
 	c := s.GetMSI()
 	msiCred, err := c.GetTokenCredential()
 
-	useTimeout := true
-	if _, ok := os.LookupEnv(identityEndpoint); ok {
-		// App Service, Functions, Service Fabric and Container Apps
-		useTimeout = false
-	} else {
-		if _, ok := os.LookupEnv(arcIMDSEndpoint); ok {
-			// Azure Arc
-			useTimeout = false
-		} else {
-			if _, ok := os.LookupEnv(msiEndpoint); ok {
-				// Cloud Shell
-				useTimeout = false
-			} else if isVirtualMachineWithManagedIdentity() {
-				// Azure VM with MSI enabled
-				useTimeout = false
-			}
-		}
-	}
-
 	// We need to use a timeout for MSI on environments where it is not available because the request for the default IMDS endpoint can hang for several minutes.
-	if useTimeout {
+	if !(isCloudServiceWithManagedIdentity() || isVirtualMachineWithManagedIdentity()) {
 		msiCred = &timeoutWrapper{cred: msiCred, authmethod: "managed identity", timeout: timeout}
 	}
 
@@ -235,7 +216,10 @@ func (s EnvironmentSettings) GetTokenCredential() (azcore.TokenCredential, error
 		s.addManagedIdentityProvider(1*time.Second, &creds, &errs)
 
 		// 5. AzureCLICredential
-		s.addCLIProvider(30*time.Second, &creds, &errs)
+		// We omit this if running in a cloud environment
+		if !isCloudServiceWithManagedIdentity() {
+			s.addCLIProvider(30*time.Second, &creds, &errs)
+		}
 	} else {
 		authMethodIdentifiers := getAzureAuthMethods()
 		authMethods := strings.Split(strings.ToLower(strings.TrimSpace(authMethods)), ",")
@@ -499,6 +483,23 @@ func (s EnvironmentSettings) GetEnvironment(key string) (val string, ok bool) {
 	return metadata.GetMetadataProperty(s.Metadata, MetadataKeys[key]...)
 }
 
+// Returns true if the application is running on a cloud service with Managed Identity, including: Azure App Service, Azure Functions, Azure Service Fabric, Azure Container Apps, Azure Arc, Azure Cloud Shell.
+func isCloudServiceWithManagedIdentity() bool {
+	switch {
+	case os.Getenv(identityEndpoint) != "":
+		// Azure App Service, Azure Functions, Azure Service Fabric and Azure Container Apps
+		return true
+	case os.Getenv(arcIMDSEndpoint) != "":
+		// Azure Arc
+		return true
+	case os.Getenv(msiEndpoint) != "":
+		// Azure Cloud Shell
+		return true
+	default:
+		return false
+	}
+}
+
 // isVirtualMachineWithManagedIdentity returns true if the code is running on a virtual machine with managed identity enabled.
 // This is indicated by the standard IMDS endpoint being reachable.
 func isVirtualMachineWithManagedIdentity() bool {