Azure · gouthamMN · Jan 3, 2025 · Jan 3, 2025 · Jan 6, 2025 · stevekuznetsov
@@ -48,6 +48,7 @@ var (
 	errInvalidRequest = errors.New("invalid request")
 	errNilMSI         = errors.New("expected non-nil user-assigned managed identity")
 	errNumberOfMSIs   = errors.New("returned MSIs does not match number of requested MSIs")
+	errGetNestedCreds = errors.New("failed to get nested credentials object")
 )
 
 // TODO - Add parameter to specify module name in azcore.NewClient()
@@ -73,7 +74,7 @@ func NewClient(cloud string, authenticator policy.Policy, clientOpts *policy.Cli
 	return &ManagedIdentityClient{swaggerClient: swaggerClient, cloud: cloud}, nil
 }
 
-func (c *ManagedIdentityClient) GetUserAssignedIdentities(ctx context.Context, request UserAssignedMSIRequest) (*UserAssignedIdentities, error) {
+func (c *ManagedIdentityClient) getUserAssignedIdentities(ctx context.Context, request UserAssignedMSIRequest) (*CredentialsObject, error) {
 	validate := validator.New(validator.WithRequiredStructEnabled())
 	validate.RegisterValidation(resourceIDsTag, validateResourceIDs)
 	if err := validate.Struct(request); err != nil {
@@ -107,7 +108,25 @@ func (c *ManagedIdentityClient) GetUserAssignedIdentities(ctx context.Context, r
 	}
 
 	credentialsObject := CredentialsObject{CredentialsObject: creds.CredentialsObject}
-	return NewUserAssignedIdentities(credentialsObject, c.cloud)
+	return NewCredentialsObjectUAIdentities(credentialsObject, c.cloud)
+}
+
+func (c *ManagedIdentityClient) GetCredentialsObjectUserAssignedIdentities(ctx context.Context, request UserAssignedMSIRequest) (*CredentialsObject, error) {
+	return c.getUserAssignedIdentities(ctx, request)
+}
+
+func (c *ManagedIdentityClient) GetNestedCredentialsObjectUserAssignedIdentities(ctx context.Context, request UserAssignedMSIRequest) (*NestedCredentialsObject, error) {
+	ua, err := c.getUserAssignedIdentities(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(ua.CredentialsObject.ExplicitIdentities) == 0 ||
+		ua.CredentialsObject.ExplicitIdentities[0] == nil {
+		return nil, errGetNestedCreds
+	}
+
+	return NewNestedCredentialsObjectUAIdentities(*ua.CredentialsObject.ExplicitIdentities[0], c.cloud)
 }
 
 func validateResourceIDs(fl validator.FieldLevel) bool {

@@ -156,7 +156,7 @@ func TestGetUserAssignedIdentities(t *testing.T) {
 			tc.goMockCall(swaggerClient)
 
 			msiClient := &ManagedIdentityClient{swaggerClient: swaggerClient}
-			if _, err := msiClient.GetUserAssignedIdentities(context.Background(), tc.request); !errors.Is(err, tc.expectedErr) {
+			if _, err := msiClient.GetCredentialsObjectUserAssignedIdentities(context.Background(), tc.request); !errors.Is(err, tc.expectedErr) {
 				t.Errorf("expected error: `%s` but got: `%s`", tc.expectedErr, err)
 			}
 		})

@@ -27,19 +27,27 @@ var (
 // swagger.Credentials object can represent either system or user-assigned managed identity
 type CredentialsObject struct {
 	swagger.CredentialsObject
+	cloud string
 }
 
-type UserAssignedIdentities struct {
-	CredentialsObject
+// NestedCredentialsObject is a wrapper around the swagger.NestedCredentialsObject to add additional functionality
+// swagger.NestedCredentials object can represent only user-assigned managed identity
+type NestedCredentialsObject struct {
+	swagger.NestedCredentialsObject
 	cloud string
 }
 
-// Constructor for UserAssignedIdentities object
-func NewUserAssignedIdentities(c CredentialsObject, cloud string) (*UserAssignedIdentities, error) {
+// Constructor for Credentials Object UserAssignedIdentities
+func NewCredentialsObjectUAIdentities(c CredentialsObject, cloud string) (*CredentialsObject, error) {
 	if !c.IsUserAssigned() {
 		return nil, errNoUserAssignedMSIs
 	}
-	return &UserAssignedIdentities{CredentialsObject: c, cloud: cloud}, nil
+	return &CredentialsObject{CredentialsObject: c.CredentialsObject, cloud: cloud}, nil
+}
+
+// Constructor for Nested Credentials Object UserAssignedIdentities
+func NewNestedCredentialsObjectUAIdentities(c swagger.NestedCredentialsObject, cloud string) (*NestedCredentialsObject, error) {
+	return &NestedCredentialsObject{NestedCredentialsObject: c, cloud: cloud}, nil
 }
 
 // This method may be used by clients to check if they can use the object as a user-assigned managed identity
@@ -48,30 +56,52 @@ func (c CredentialsObject) IsUserAssigned() bool {
 	return len(c.ExplicitIdentities) > 0
 }
 
-// Get an AzIdentity credential for the given user-assigned identity resource ID
+// Get an AzIdentity credential for the given credential object user-assigned identity resource ID
 // Clients can use the credential to get a token for the user-assigned identity
-func (u UserAssignedIdentities) GetCredential(requestedResourceID string) (*azidentity.ClientCertificateCredential, error) {
+func (c CredentialsObject) GetCredential(requestedResourceID string) (*azidentity.ClientCertificateCredential, error) {
 	requestedARMResourceID, err := arm.ParseResourceID(requestedResourceID)
 	if err != nil {
 		return nil, fmt.Errorf("%w for requested resource ID %s: %w", errParseResourceID, requestedResourceID, err)
 	}
 	requestedResourceID = requestedARMResourceID.String()
 
-	for _, id := range u.ExplicitIdentities {
+	for _, id := range c.ExplicitIdentities {
 		if id != nil && id.ResourceID != nil {
 			idARMResourceID, err := arm.ParseResourceID(*id.ResourceID)
 			if err != nil {
 				return nil, fmt.Errorf("%w for identity resource ID %s: %w", errParseResourceID, *id.ResourceID, err)
 			}
 			if requestedResourceID == idARMResourceID.String() {
-				return getClientCertificateCredential(*id, u.cloud)
+				return getClientCertificateCredential(*id, c.cloud)
 			}
 		}
 	}
 
 	return nil, errResourceIDNotFound
 }
 
+// Get an AzIdentity credential for the given nested credential object user-assigned identity resource ID
+// Clients can use the credential to get a token for the user-assigned identity
+func (n NestedCredentialsObject) GetCredential(requestedResourceID string) (*azidentity.ClientCertificateCredential, error) {
+	requestedARMResourceID, err := arm.ParseResourceID(requestedResourceID)
+	if err != nil {
+		return nil, fmt.Errorf("%w for requested resource ID %s: %w", errParseResourceID, requestedResourceID, err)
+	}
+	requestedResourceID = requestedARMResourceID.String()
+
+	if n.ResourceID != nil {
+		idARMResourceID, err := arm.ParseResourceID(*n.ResourceID)
+		if err != nil {
+			return nil, fmt.Errorf("%w for identity resource ID %s: %w", errParseResourceID, *n.ResourceID, err)
+		}
+		if requestedResourceID == idARMResourceID.String() {
+			return getClientCertificateCredential(n.NestedCredentialsObject, n.cloud)
+		}
+	}
+
+	return nil, errResourceIDNotFound
+}
+
 func getAzCoreCloud(cloud string) azcloud.Configuration {
 	switch cloud {
 	case AzureUSGovCloud:

@@ -85,7 +85,7 @@ func TestNewUserAssignedIdentities(t *testing.T) {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if _, err := NewUserAssignedIdentities(tc.c, test.Bogus); !errors.Is(err, tc.expectedErr) {
+			if _, err := NewCredentialsObjectUAIdentities(tc.c, test.Bogus); !errors.Is(err, tc.expectedErr) {
 				t.Errorf("expected error: `%s` but got: `%s`", tc.expectedErr, err)
 			}
 		})
@@ -101,39 +101,35 @@ func TestGetCredential(t *testing.T) {
 	validIdentity.AuthenticationEndpoint = test.StringPtr(test.ValidAuthenticationEndpoint)
 
 	testCases := []struct {
-		name         string
-		uaIdentities UserAssignedIdentities
-		resourceID   string
-		expectedErr  error
+		name              string
+		credentialsObject CredentialsObject
+		resourceID        string
+		expectedErr       error
 	}{
 		{
 			name: "empty resourceID",
-			uaIdentities: UserAssignedIdentities{
-				CredentialsObject: CredentialsObject{
-					CredentialsObject: swagger.CredentialsObject{
-						ExplicitIdentities: []*swagger.NestedCredentialsObject{
-							test.GetTestMSI(test.ValidResourceID),
-						},
+			credentialsObject: CredentialsObject{
+				CredentialsObject: swagger.CredentialsObject{
+					ExplicitIdentities: []*swagger.NestedCredentialsObject{
+						test.GetTestMSI(test.ValidResourceID),
 					},
 				},
 			},
 			resourceID:  "",
 			expectedErr: errParseResourceID,
 		},
 		{
-			name:         "no identities present",
-			uaIdentities: UserAssignedIdentities{},
-			resourceID:   test.ValidResourceID,
-			expectedErr:  errResourceIDNotFound,
+			name:              "no identities present",
+			credentialsObject: CredentialsObject{},
+			resourceID:        test.ValidResourceID,
+			expectedErr:       errResourceIDNotFound,
 		},
 		{
 			name: "invalid requested resourceID",
-			uaIdentities: UserAssignedIdentities{
-				CredentialsObject: CredentialsObject{
-					CredentialsObject: swagger.CredentialsObject{
-						ExplicitIdentities: []*swagger.NestedCredentialsObject{
-							test.GetTestMSI(test.ValidResourceID),
-						},
+			credentialsObject: CredentialsObject{
+				CredentialsObject: swagger.CredentialsObject{
+					ExplicitIdentities: []*swagger.NestedCredentialsObject{
+						test.GetTestMSI(test.ValidResourceID),
 					},
 				},
 			},
@@ -142,12 +138,10 @@ func TestGetCredential(t *testing.T) {
 		},
 		{
 			name: "invalid identity resourceID",
-			uaIdentities: UserAssignedIdentities{
-				CredentialsObject: CredentialsObject{
-					CredentialsObject: swagger.CredentialsObject{
-						ExplicitIdentities: []*swagger.NestedCredentialsObject{
-							test.GetTestMSI(test.Bogus),
-						},
+			credentialsObject: CredentialsObject{
+				CredentialsObject: swagger.CredentialsObject{
+					ExplicitIdentities: []*swagger.NestedCredentialsObject{
+						test.GetTestMSI(test.Bogus),
 					},
 				},
 			},
@@ -156,12 +150,10 @@ func TestGetCredential(t *testing.T) {
 		},
 		{
 			name: "invalid client secret",
-			uaIdentities: UserAssignedIdentities{
-				CredentialsObject: CredentialsObject{
-					CredentialsObject: swagger.CredentialsObject{
-						ExplicitIdentities: []*swagger.NestedCredentialsObject{
-							test.GetTestMSI(test.ValidResourceID),
-						},
+			credentialsObject: CredentialsObject{
+				CredentialsObject: swagger.CredentialsObject{
+					ExplicitIdentities: []*swagger.NestedCredentialsObject{
+						test.GetTestMSI(test.ValidResourceID),
 					},
 				},
 			},
@@ -170,12 +162,10 @@ func TestGetCredential(t *testing.T) {
 		},
 		{
 			name: "success",
-			uaIdentities: UserAssignedIdentities{
-				CredentialsObject: CredentialsObject{
-					CredentialsObject: swagger.CredentialsObject{
-						ExplicitIdentities: []*swagger.NestedCredentialsObject{
-							validIdentity,
-						},
+			credentialsObject: CredentialsObject{
+				CredentialsObject: swagger.CredentialsObject{
+					ExplicitIdentities: []*swagger.NestedCredentialsObject{
+						validIdentity,
 					},
 				},
 			},
@@ -188,7 +178,7 @@ func TestGetCredential(t *testing.T) {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if _, err := tc.uaIdentities.GetCredential(tc.resourceID); !errors.Is(err, tc.expectedErr) {
+			if _, err := tc.credentialsObject.GetCredential(tc.resourceID); !errors.Is(err, tc.expectedErr) {
 				t.Errorf("expected error: `%s` but got: `%s`", tc.expectedErr, err)
 			}
 		})

@@ -23,6 +23,7 @@ func TestNewStub(t *testing.T) {
 		swagger.CredentialsObject{
 			ExplicitIdentities: []*swagger.NestedCredentialsObject{uaMSI},
 		},
+		AzurePublicCloud,
 	}
 	testStub := NewStub([]*CredentialsObject{credObject})
 	if testStub == nil {
@@ -37,6 +38,7 @@ func TestDo(t *testing.T) {
 		swagger.CredentialsObject{
 			ExplicitIdentities: []*swagger.NestedCredentialsObject{uaMSI},
 		},
+		AzurePublicCloud,
 	}
 	credRequest := &swagger.CredRequestDefinition{
 		IdentityIDs: []*string{test.StringPtr(test.ValidResourceID)},
@@ -118,6 +120,7 @@ func TestPost(t *testing.T) {
 		swagger.CredentialsObject{
 			ExplicitIdentities: []*swagger.NestedCredentialsObject{uaMSI},
 		},
+		AzurePublicCloud,
 	}
 
 	testCases := []struct {
@@ -179,6 +182,7 @@ func TestStubWithClient(t *testing.T) {
 		swagger.CredentialsObject{
 			ExplicitIdentities: []*swagger.NestedCredentialsObject{uaMSI},
 		},
+		AzurePublicCloud,
 	}
 	testStub := NewStub([]*CredentialsObject{credObject})
 	clientOpts := &policy.ClientOptions{
@@ -193,7 +197,7 @@ func TestStubWithClient(t *testing.T) {
 		IdentityURL: test.ValidIdentityURL,
 		TenantID:    test.ValidTenantID,
 	}
-	identities, err := client.GetUserAssignedIdentities(context.Background(), request)
+	identities, err := client.GetCredentialsObjectUserAssignedIdentities(context.Background(), request)
 	if err != nil {
 		t.Fatalf("unable to get user assigned msi: %s", err)
 	}