The Problem
When using the Azure Identity NuGet package, DefaultAzureCredential attempts to load a range of credential types such as Environment Variables, Visual Studio, Azure Managed Identity and more. The full list is documented on Microsoft Learn
Determining which credentials are being used can be tricky unless you manually enable logging. When doing this, the Microsoft recommended approach will give you a very verbose output. To simplify the output, insert the below snippet into your applications startup.
⚠️ Security note: enabling
IsAccountIdentifierLoggingEnabledmay
include sensitive account information in your logs. Only use this during
debugging and ensure these logs are not persisted or exposed.
The Solution
using var listener = new AzureEventSourceListener((e, message) =>
{
if (e.EventSource.Name == "Azure-Identity")
{
Console.WriteLine(message);
// Alternatively, use _logger.LogInformation() if running in Azure
// WARNING: These logs may include sensitive credentials
// depending on the options selected below
}
},
System.Diagnostics.Tracing.EventLevel.LogAlways);
var options = new DefaultAzureCredentialOptions
{
Diagnostics =
{
IsAccountIdentifierLoggingEnabled = true,
// Useful extra options for debugging
// These act as a Whitelist of fields to log. By
//LoggedHeaderNames = { "x-ms-request-id" },
//LoggedQueryParameters = { "api-version" },
// This enables logging the request or response body
//IsLoggingContentEnabled = true
}
};
var credential = new DefaultAzureCredential(options);
AzureEventSourceListener will create a verbose logger. Adding that filter will remove a lot of noise.
Sample Output
You should get an output similar to this:
EnvironmentCredential.GetToken invoked
EnvironmentCredential.GetToken was unable to retrieve an access token
...
VisualStudioCredential.GetToken succeeded
This output makes it straightforward to identify exactly which credential type was successful (or unsuccessful).
Top comments (0)