Merge pull request #18323 from ogulcanaydogan/fix/16634-azure-system-managed-identity

discovery/azure: fix system managed identity when client_id is empty
2026-05-28 04:02:21 -04:00 · 2026-03-20 09:54:17 +01:00 · 2026-03-20 09:54:17 +01:00 · 166d20151c
commit 166d20151c
parent 776a71749a 7bbff490a3
2 changed files with 26 additions and 1 deletions
--- a/discovery/azure/azure.go
+++ b/discovery/azure/azure.go
@ -298,7 +298,10 @@ func newCredential(cfg SDConfig, policyClientOptions policy.ClientOptions) (azco
 		}
 		credential = azcore.TokenCredential(workloadIdentityCredential)
 	case authMethodManagedIdentity:
-		options := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: policyClientOptions, ID: azidentity.ClientID(cfg.ClientID)}
+		options := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: policyClientOptions}
+		if cfg.ClientID != "" {
+			options.ID = azidentity.ClientID(cfg.ClientID)
+		}
 		managedIdentityCredential, err := azidentity.NewManagedIdentityCredential(options)
 		if err != nil {
 			return nil, err
--- a/discovery/azure/azure_test.go
+++ b/discovery/azure/azure_test.go
@ -24,6 +24,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	azfake "github.com/Azure/azure-sdk-for-go/sdk/azcore/fake"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5"
 	fake "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5/fake"
@ -490,6 +491,27 @@ func TestNewAzureResourceFromID(t *testing.T) {
 	}
 }

+func TestNewCredentialManagedIdentity(t *testing.T) {
+	// Test that system-assigned managed identity (empty ClientID) creates
+	// a valid credential. Previously, an empty ClientID was passed as
+	// azidentity.ClientID("") which is not nil and caused Azure SDK to
+	// look up a non-existent user-assigned identity instead of falling
+	// back to system-assigned identity.
+	cfg := SDConfig{
+		AuthenticationMethod: authMethodManagedIdentity,
+		ClientID:             "",
+	}
+	cred, err := newCredential(cfg, policy.ClientOptions{})
+	require.NoError(t, err)
+	require.NotNil(t, cred)
+
+	// Test that user-assigned managed identity (non-empty ClientID) also works.
+	cfg.ClientID = "00000000-0000-0000-0000-000000000000"
+	cred, err = newCredential(cfg, policy.ClientOptions{})
+	require.NoError(t, err)
+	require.NotNil(t, cred)
+}
+
 func TestAzureRefresh(t *testing.T) {
 	tests := []struct {
 		scenario       string