[Identity] update the DAC chain based on env var AZURE_TOKEN_CREDENTIALS (#34301)

KarishmaGhiya · web-flow · commit bd4b22fdaccc · 2025-05-14T14:11:03.000-07:00
diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md
@@ -1,15 +1,10 @@
 # Release History
 
-## 4.9.2 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
-
-### Bugs Fixed
+## 4.9.2 (2025-05-14)
 
 ### Other Changes
 
+- Added support for the `AZURE_TOKEN_CREDENTIALS` environment variable to `DefaultAzureCredential`, which allows for choosing between 'deployed service' and 'developer tools' credentials. Valid values are 'dev' for developer tools and 'prod' for deployed service.
 - Added deprecation warnings for username password usage in `EnvironmentCredential` constructor to warn the users. `UsernamePassword` authentication doesn't support Multi-Factor Authentication (MFA), and MFA will enabled soon on all tenants.  For more details, see [Planning for mandatory MFA](https://aka.ms/mfaforazure).
 
 ## 4.9.1 (2025-04-17)
diff --git a/sdk/identity/identity/src/credentials/defaultAzureCredential.ts b/sdk/identity/identity/src/credentials/defaultAzureCredential.ts
@@ -233,17 +233,47 @@ export class DefaultAzureCredential extends ChainedTokenCredential {
   constructor(options?: DefaultAzureCredentialOptions);
 
   constructor(options?: DefaultAzureCredentialOptions) {
-    const credentialFunctions = [
-      createEnvironmentCredential,
-      createDefaultWorkloadIdentityCredential,
-      createDefaultManagedIdentityCredential,
+    // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.
+    const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS
+      ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()
+      : undefined;
+    const devCredentialFunctions = [
       createDefaultAzureCliCredential,
       createDefaultAzurePowershellCredential,
       createDefaultAzureDeveloperCliCredential,
     ];
+    const prodCredentialFunctions = [
+      createEnvironmentCredential,
+      createDefaultWorkloadIdentityCredential,
+      createDefaultManagedIdentityCredential,
+    ];
+    let credentialFunctions = [];
+    // If AZURE_TOKEN_CREDENTIALS is set, use it to determine which credentials to use.
+    // The value of AZURE_TOKEN_CREDENTIALS should be either "dev" or "prod".
+    if (azureTokenCredentials) {
+      switch (azureTokenCredentials) {
+        case "dev":
+          // If AZURE_TOKEN_CREDENTIALS is set to "dev", use the developer tool-based credential chain.
+          credentialFunctions = devCredentialFunctions;
+          break;
+        case "prod":
+          // If AZURE_TOKEN_CREDENTIALS is set to "prod", use the production credential chain.
+          credentialFunctions = prodCredentialFunctions;
+          break;
+        default: {
+          // If AZURE_TOKEN_CREDENTIALS is set to an unsupported value, throw an error.
+          // We will throw an error here to prevent the creation of the DefaultAzureCredential.
+          const errorMessage = `Invalid value for AZURE_TOKEN_CREDENTIALS = ${process.env.AZURE_TOKEN_CREDENTIALS}. Valid values are 'prod' or 'dev'.`;
+          logger.warning(errorMessage);
+          throw new Error(errorMessage);
+        }
+      }
+    } else {
+      // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.
+      credentialFunctions = [...prodCredentialFunctions, ...devCredentialFunctions];
+    }
 
-    // DefaultCredential constructors should not throw, instead throwing on getToken() which is handled by ChainedTokenCredential.
-
+    // Errors from individual credentials should not be thrown in the DefaultAzureCredential constructor, instead throwing on getToken() which is handled by ChainedTokenCredential.
     // When adding new credentials to the default chain, consider:
     // 1. Making the constructor parameters required and explicit
     // 2. Validating any required parameters in the factory function
diff --git a/sdk/identity/identity/test/internal/node/defaultAzureCredential.spec.ts b/sdk/identity/identity/test/internal/node/defaultAzureCredential.spec.ts
@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { DefaultAzureCredential } from "../../../src/index.js";
+import { describe, it, expect, vi, afterEach } from "vitest";
+
+describe("DefaultAzureCredential", () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("should create a DefaultAzureCredential instance", () => {
+    const credential = new DefaultAzureCredential();
+    expect(credential).toBeInstanceOf(DefaultAzureCredential);
+  });
+  it("should throw an error if AZURE_TOKEN_CREDENTIALS is set to an unsupported value", () => {
+    process.env.AZURE_TOKEN_CREDENTIALS = "randomValue";
+    expect(() => new DefaultAzureCredential()).toThrowError(
+      "Invalid value for AZURE_TOKEN_CREDENTIALS = randomValue. Valid values are 'prod' or 'dev'.",
+    );
+  });
+  it("should not throw an error if AZURE_TOKEN_CREDENTIALS is set to a supported value", () => {
+    process.env.AZURE_TOKEN_CREDENTIALS = "prod";
+    expect(() => new DefaultAzureCredential()).not.toThrowError();
+    process.env.AZURE_TOKEN_CREDENTIALS = "dev";
+    expect(() => new DefaultAzureCredential()).not.toThrowError();
+  });
+});
