[Breaking change]: DefaultAzureCredential defaults to ManagedIdentityCredential on ACA and App Service

[eerhardt]

Description

With change Default AZURE_TOKEN_CREDENTIALS env var when running in Azure (dotnet/aspire#11832), we are changing the default behavior of DefaultAzureCredential when deploying to Azure Container Apps and Azure App Service to only use a ManagedIdentityCredential.

This change does a couple things:

• Forces DefaultAzureCredential to behave in a deterministic manner (only ManagedIdentityCredential will be used). If this env var isn't set this way, EnvironmentCredential and WorkloadIdentityCredential will be attempted before ManagedIdentityCredential.
• Optimizes the underlying ManagedIdentityCredential for resilience (see DAC - attempt retries and disable probe when ManagedIdentityCredential is selected in Env Azure/azure-sdk-for-net#52545)

Version

13.0

Previous behavior

Previously, DefaultAzureCredential would use the full chain of identities by default, including using EnvironmentCredential and WorkloadIdentityCredential before ManagedIdentityCredential.

New behavior

Now DefaultAzureCredential will only use ManagedIdentityCredential.

Type of breaking change

• Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
• Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
• Behavioral change: Existing binaries might behave differently at run time.

Reason for change

This change enforces Azure SDK best practices. See https://learn.microsoft.com/dotnet/azure/sdk/authentication/best-practices?tabs=aspdotnet#use-deterministic-credentials-in-production-environments

Recommended action

If you were relying on EnvironmentCredential or WorkloadIdentityCredential in your application, you can choose one of the following to revert to old behavior.

1. Don't use DefaultAzureCredential in your application, and instead explicitly use EnvironmentCredential or WorkloadIdentityCredential in production.
2. Implement a PublishAsAzureContainerApp callback and remove the environment variable from the bicep

builder.AddProject<Projects.Frontend>("frontend")
    .PublishAsAzureContainerApp((infra, app) =>
    {
        // remove the AZURE_TOKEN_CREDENTIALS env var
        var containerAppContainer = app.Template.Containers[0].Value!;
        var azureTokenCredentialEnv = containerAppContainer.Env.Single(v => v.Value!.Name.Value == "AZURE_TOKEN_CREDENTIALS");
        containerAppContainer.Env.Remove(azureTokenCredentialEnv);
    });

Affected APIs

• AddAzureContainerAppEnvironment
• AddAzureAppServiceEnvironment

---

Associated WorkItem - 499638