Testing create-bee failures

broadinstitute · Jun 5, 2024 · 6fb9698 · 6fb9698
1 parent 72b1bf7
commit 6fb9698
Showing 1 changed file with 20 additions and 3 deletions.
diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/CrlService.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/CrlService.scala
@@ -4,9 +4,10 @@ import bio.terra.cloudres.azure.resourcemanager.common.Defaults
 import bio.terra.cloudres.common.ClientConfig
 import bio.terra.cloudres.common.cleanup.CleanupConfig
 import cats.effect.IO
+import com.azure.core.credential.TokenCredential
 import com.azure.core.management.AzureEnvironment
 import com.azure.core.management.profile.AzureProfile
-import com.azure.identity.{ClientSecretCredential, ClientSecretCredentialBuilder}
+import com.azure.identity.{ChainedTokenCredentialBuilder, ClientSecretCredentialBuilder, ManagedIdentityCredentialBuilder}
 import com.azure.resourcemanager.managedapplications.ApplicationManager
 import com.azure.resourcemanager.msi.MsiManager
 import com.azure.resourcemanager.resources.ResourceManager
@@ -59,13 +60,29 @@ class CrlService(config: AzureServicesConfig, janitorConfig: JanitorConfig) {
 
   def getManagedAppPlans: Seq[ManagedAppPlan] = config.managedAppPlans
 
-  private def getCredentialAndProfile(tenantId: TenantId, subscriptionId: SubscriptionId): (ClientSecretCredential, AzureProfile) = {
-    val credential = new ClientSecretCredentialBuilder()
+  private def getCredentialAndProfile(tenantId: TenantId, subscriptionId: SubscriptionId): (TokenCredential, AzureProfile) = {
+
+    //temp change to test how create-bee-workflow handles failure on MI auth and fall through to SP auth
+    val managedIdentityCredential = new ManagedIdentityCredentialBuilder()
+      .clientId("00000000-0000-0000-0000-000000000000")
+      .build
+
+    val servicePrincipalCredential = new ClientSecretCredentialBuilder()
       .clientId(config.managedAppClientId)
       .clientSecret(config.managedAppClientSecret)
       .tenantId(config.managedAppTenantId)
       .build
 
+    // When an access token is requested, the chain will try each
+    // credential in order, stopping when one provides a token
+    //
+    // For Managed Identity auth, SAM must be deployed to an Azure service
+    // other platforms will fall through to Service Principal auth
+    val credential = new ChainedTokenCredentialBuilder()
+      .addLast(managedIdentityCredential)
+      .addLast(servicePrincipalCredential)
+      .build
+
     val profile = new AzureProfile(tenantId.value, subscriptionId.value, AzureEnvironment.AZURE)
 
     (credential, profile)