[Feature Request] IMDS Source Detection Logic Improvement

[Robbie-Microsoft]

MSAL client type

Managed identity

Problem statement

Current functionality

GetManagedIdentitySourceAsync will check for and return managed identity sources in the following order:

1. non-Imds sources (via env vars)
2. ImdsV2 (via probe)
   Note: Presence of ImdsV2 implies ImdsV1 also exists in the environment.
   (ImdsV2 will never exist without ImdsV1, but ImdsV1 can exist without ImdsV2 in some production environments.)
3. return DefaultToImds
   Azure SDK will then probe ImdsV1 to see if it's available.

Proposed functionality

1. non-Imds sources (via env vars)
2. ImdsV2 (via probe)
3. ImdsV1 (via probe)
4. return None

Detailed Work Items

• Change business logic to probe ImdsV1, before returning None if probe returns 400
• Change business logic to deprecate DefaultToImds

Proposed solution

No response

Alternatives

No response

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Feature Request] MSAL supports Managed Identity #3754

Powered by issue-sentinel

[christothes]

Change business logic to probe ImdsV1, before returning None if probe returns 404

This should be - ... before returning None if probe returns 400 (when sending the probe request without the Metadata header.

[Robbie-Microsoft]

@christothes We'll be adding a mandatory cancellation token param to the public API - used in the IMDS v1 and v2 probes.

GetManagedIdentitySourceAsync(CancellationToken cancellationToken)