Add workload tenant id support (Azure#30862)

xiangyan99 · web-flow · commit 1f2d81081d7a · 2023-06-26T07:20:07.000-07:00
* Add workload tenant id support

* update
diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/default.py b/sdk/identity/azure-identity/azure/identity/_credentials/default.py
@@ -72,6 +72,8 @@ class DefaultAzureCredential(ChainedTokenCredential):
         of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used.
     :keyword str workload_identity_client_id: The client ID of an identity assigned to the pod. Defaults to the value
         of the environment variable AZURE_CLIENT_ID, if any. If not specified, the pod's default identity will be used.
+    :keyword str workload_identity_tenant_id: Preferred tenant for :class:`~azure.identity.WorkloadIdentityCredential`.
+        Defaults to the value of environment variable AZURE_TENANT_ID, if any.
     :keyword str interactive_browser_client_id: The client ID to be used in interactive browser credential. If not
         specified, users will authenticate to an Azure development application.
     :keyword str shared_cache_username: Preferred username for :class:`~azure.identity.SharedTokenCacheCredential`.
@@ -95,7 +97,7 @@ class DefaultAzureCredential(ChainedTokenCredential):
             :caption: Create a DefaultAzureCredential.
     """
 
-    def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statements
+    def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statements, too-many-locals
         if "tenant_id" in kwargs:
             raise TypeError("'tenant_id' is not supported in DefaultAzureCredential.")
 
@@ -122,6 +124,9 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
         workload_identity_client_id = kwargs.pop(
             "workload_identity_client_id", managed_identity_client_id
         )
+        workload_identity_tenant_id = kwargs.pop(
+            "workload_identity_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)
+        )
         interactive_browser_client_id = kwargs.pop("interactive_browser_client_id", None)
 
         shared_cache_username = kwargs.pop("shared_cache_username", os.environ.get(EnvironmentVariables.AZURE_USERNAME))
@@ -149,7 +154,7 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
                 client_id = workload_identity_client_id
                 credentials.append(WorkloadIdentityCredential(
                     client_id=cast(str, client_id),
-                    tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],
+                    tenant_id=workload_identity_tenant_id,
                     file=os.environ[EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE],
                     **kwargs))
         if not exclude_managed_identity_credential:
diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/default.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/default.py
@@ -66,6 +66,8 @@ class DefaultAzureCredential(ChainedTokenCredential):
         of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used.
     :keyword str workload_identity_client_id: The client ID of an identity assigned to the pod. Defaults to the value
         of the environment variable AZURE_CLIENT_ID, if any. If not specified, the pod's default identity will be used.
+    :keyword str workload_identity_tenant_id: Preferred tenant for :class:`~azure.identity.WorkloadIdentityCredential`.
+        Defaults to the value of environment variable AZURE_TENANT_ID, if any.
     :keyword str shared_cache_username: Preferred username for :class:`~azure.identity.aio.SharedTokenCacheCredential`.
         Defaults to the value of environment variable AZURE_USERNAME, if any.
     :keyword str shared_cache_tenant_id: Preferred tenant for :class:`~azure.identity.aio.SharedTokenCacheCredential`.
@@ -115,6 +117,9 @@ def __init__(self, **kwargs: Any) -> None:
         workload_identity_client_id = kwargs.pop(
             "workload_identity_client_id", managed_identity_client_id
         )
+        workload_identity_tenant_id = kwargs.pop(
+            "workload_identity_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)
+        )
 
         vscode_tenant_id = kwargs.pop(
             "visual_studio_code_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)
@@ -139,7 +144,7 @@ def __init__(self, **kwargs: Any) -> None:
                 client_id = workload_identity_client_id
                 credentials.append(WorkloadIdentityCredential(
                     client_id=cast(str, client_id),
-                    tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],
+                    tenant_id=workload_identity_tenant_id,
                     file=os.environ[EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE],
                     **kwargs))
         if not exclude_managed_identity_credential:
diff --git a/sdk/search/azure-search-documents/CHANGELOG.md b/sdk/search/azure-search-documents/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added `workload_identity_tenant_id` support in `DefaultAzureCredential`.
+
 ### Breaking Changes
 
 ### Bugs Fixed
