configure lease service with MSI

advay26 · advay26 · commit 680149a14d00 · 2024-08-20T19:53:34.000-07:00
diff --git a/src/NuGet.Services.Validation.Orchestrator/Job.cs b/src/NuGet.Services.Validation.Orchestrator/Job.cs
@@ -10,6 +10,8 @@
 using System.Threading.Tasks;
 using Autofac;
 using Autofac.Core;
+using Azure.Core;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using Microsoft.ApplicationInsights;
 using Microsoft.Extensions.Configuration;
@@ -384,11 +386,9 @@ private static void ConfigureLeaseService(ContainerBuilder builder)
                 .Register(c =>
                 {
                     LeaseConfiguration config = c.Resolve<IOptionsSnapshot<LeaseConfiguration>>().Value;
+                    StorageMsiConfiguration storageMsiConfiguration = c.Resolve<IOptionsSnapshot<StorageMsiConfiguration>>().Value;
 
-                    // workaround for https://github.com/Azure/azure-sdk-for-net/issues/44373
-                    var connectionString = config.ConnectionString.Replace("SharedAccessSignature=?", "SharedAccessSignature=");
-
-                    BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);
+                    BlobServiceClient blobServiceClient = CreateBlobServiceClient(storageMsiConfiguration, config.ConnectionString);
                     return new CloudBlobLeaseService(blobServiceClient, config.ContainerName, config.StoragePath);
                 })
                 .As<ILeaseService>();
@@ -605,5 +605,48 @@ private T GetRequiredService<T>()
         {
             return _serviceProvider.GetRequiredService<T>();
         }
+
+        private static BlobServiceClient CreateBlobServiceClient(
+            StorageMsiConfiguration msiConfiguration,
+            string storageConnectionString,
+            TimeSpan? requestTimeout = null)
+        {
+            BlobClientOptions blobClientOptions = new BlobClientOptions();
+            if (requestTimeout.HasValue)
+            {
+                blobClientOptions.Retry.NetworkTimeout = requestTimeout.Value;
+            }
+
+            if (msiConfiguration.UseManagedIdentity)
+            {
+                if (string.IsNullOrWhiteSpace(msiConfiguration.ManagedIdentityClientId))
+                {
+                    // Using MSI with DefaultAzureCredential (local debugging)
+                    var defaultAzureCredentialOptions = new DefaultAzureCredentialOptions
+                    {
+                        ManagedIdentityClientId = msiConfiguration.ManagedIdentityClientId,
+                    };
+                    var tokenCredential = new DefaultAzureCredential(defaultAzureCredentialOptions);
+
+                    return new BlobServiceClient(new Uri(storageConnectionString), tokenCredential, blobClientOptions);
+                }
+                else
+                {
+                    // Using MSI with ClientId
+                    var tokenCredential = new ManagedIdentityCredential(msiConfiguration.ManagedIdentityClientId);
+
+                    return new BlobServiceClient(new Uri(storageConnectionString), tokenCredential, blobClientOptions);
+                }
+            }
+            else
+            {
+                // Using SAS token
+
+                // workaround for https://github.com/Azure/azure-sdk-for-net/issues/44373
+                var connectionString = storageConnectionString.Replace("SharedAccessSignature=?", "SharedAccessSignature=");
+
+                return new BlobServiceClient(connectionString, blobClientOptions);
+            }
+        }
     }
 }
