Azure - create a custom chained token credential to place the AzureCLICredential prior to the ManagedIdentityCredential (#1009)

Author: lszomoru

src/auth.ts

@@ -0,0 +1,24 @@
+import { AzureCliCredential, AzureDeveloperCliCredential, AzurePowerShellCredential, ChainedTokenCredential, EnvironmentCredential, ManagedIdentityCredential } from "@azure/identity";
+
+function createChainedTokenCredential(): ChainedTokenCredential {
+	return new ChainedTokenCredential(
+		new EnvironmentCredential(),
+		new AzureCliCredential(),
+		new ManagedIdentityCredential({ clientId: process.env.AZURE_CLIENT_ID }),
+		new AzurePowerShellCredential({ tenantId: process.env.AZURE_TENANT_ID }),
+		new AzureDeveloperCliCredential({ tenantId: process.env.AZURE_TENANT_ID })
+	);
+}
+
+export async function getAzureCredentialAccessToken(): Promise<string> {
+	try {
+		const credential = createChainedTokenCredential()
+		const token = await credential.getToken('499b84ac-1321-427f-aa17-267ca6975798/.default', {
+			tenantId: process.env.AZURE_TENANT_ID
+		});
+
+		return token.token;
+	} catch (error) {
+		throw new Error('Can not acquire a Microsoft Entra ID access token. Additional information:\n\n' + error)
+	}
+}

src/publish.ts

@@ -5,14 +5,15 @@ import { ExtensionQueryFlags, PublishedExtension } from 'azure-devops-node-api/i
 import { pack, readManifest, versionBump, prepublish, signPackage, createSignatureArchive } from './package';
 import * as tmp from 'tmp';
 import { IVerifyPatOptions, getPublisher } from './store';
-import { getGalleryAPI, read, getPublishedUrl, log, getHubUrl, patchOptionsWithManifest, getAzureCredentialAccessToken } from './util';
+import { getGalleryAPI, read, getPublishedUrl, log, getHubUrl, patchOptionsWithManifest } from './util';
 import { Manifest } from './manifest';
 import { readVSIXPackage } from './zip';
 import { validatePublisher } from './validation';
 import { GalleryApi } from 'azure-devops-node-api/GalleryApi';
 import FormData from 'form-data';
 import { basename } from 'path';
 import { IterableBackoff, handleWhen, retry } from 'cockatiel';
+import { getAzureCredentialAccessToken } from './auth';
 
 const tmpName = promisify(tmp.tmpName);
 

src/util.ts

@@ -7,7 +7,6 @@ import { PublicGalleryAPI } from './publicgalleryapi';
 import { ISecurityRolesApi } from 'azure-devops-node-api/SecurityRolesApi';
 import { Manifest } from './manifest';
 import { EOL } from 'os';
-import { DefaultAzureCredential } from '@azure/identity';
 
 const __read = promisify<_read.Options, string>(_read);
 export function read(prompt: string, options: _read.Options = {}): Promise<string> {
@@ -51,16 +50,6 @@ export function getPublicGalleryAPI() {
 	return new PublicGalleryAPI(marketplaceUrl, '3.0-preview.1');
 }
 
-export async function getAzureCredentialAccessToken(): Promise<string> {
-	try {
-		const credential = new DefaultAzureCredential();
-		const token = await credential.getToken('499b84ac-1321-427f-aa17-267ca6975798/.default');
-		return token.token;
-	} catch (error) {
-		throw new Error('Can not acquire a Microsoft Entra ID access token. Additional information:\n\n' + error)
-	}
-}
-
 export function normalize(path: string): string {
 	return path.replace(/\\/g, '/');
 }