Don't log the token credential until it's used. (#8995)

davidfowl · web-flow · commit b0e50268ac6e · 2025-04-28T08:27:37.000-07:00
diff --git a/src/Aspire.Hosting.Azure/Provisioning/Provisioners/AzureProvisioner.cs b/src/Aspire.Hosting.Azure/Provisioning/Provisioners/AzureProvisioner.cs
@@ -219,7 +219,7 @@ private async Task ProvisionAzureResources(
         var userSecretsLazy = new Lazy<Task<JsonObject>>(() => GetUserSecretsAsync(userSecretsPath, cancellationToken));
 
         // Make resources wait on the same provisioning context
-        var provisioningContextLazy = new Lazy<Task<ProvisioningContext>>(() => GetProvisioningContextAsync(tokenCredentialHolder.Credential, userSecretsLazy, cancellationToken));
+        var provisioningContextLazy = new Lazy<Task<ProvisioningContext>>(() => GetProvisioningContextAsync(tokenCredentialHolder, userSecretsLazy, cancellationToken));
 
         var tasks = new List<Task>();
 
@@ -366,10 +366,14 @@ async Task PublishConnectionStringAvailableEventAsync()
         }
     }
 
-    private async Task<ProvisioningContext> GetProvisioningContextAsync(TokenCredential credential, Lazy<Task<JsonObject>> userSecretsLazy, CancellationToken cancellationToken)
+    private async Task<ProvisioningContext> GetProvisioningContextAsync(TokenCredentialHolder holder, Lazy<Task<JsonObject>> userSecretsLazy, CancellationToken cancellationToken)
     {
         var subscriptionId = _options.SubscriptionId ?? throw new MissingConfigurationException("An Azure subscription id is required. Set the Azure:SubscriptionId configuration value.");
 
+        var credential = holder.Credential;
+
+        holder.LogCredentialType();
+
         var armClient = new ArmClient(credential, subscriptionId);
 
         logger.LogInformation("Getting default subscription...");
diff --git a/src/Aspire.Hosting.Azure/Provisioning/Provisioners/TokenCredentialHolder.cs b/src/Aspire.Hosting.Azure/Provisioning/Provisioners/TokenCredentialHolder.cs
@@ -10,8 +10,12 @@ namespace Aspire.Hosting.Azure.Provisioning;
 
 internal class TokenCredentialHolder
 {
+    private readonly ILogger<TokenCredentialHolder> _logger;
+
     public TokenCredentialHolder(ILogger<TokenCredentialHolder> logger, IOptions<AzureProvisionerOptions> options)
     {
+        _logger = logger;
+
         // Optionally configured in AppHost appSettings under "Azure" : { "CredentialSource": "AzureCli" }
         var credentialSetting = options.Value.CredentialSource;
 
@@ -32,19 +36,22 @@ public TokenCredentialHolder(ILogger<TokenCredentialHolder> logger, IOptions<Azu
             })
         };
 
-        if (credential.GetType() == typeof(DefaultAzureCredential))
+        Credential = credential;
+    }
+
+    public TokenCredential Credential { get; }
+
+    internal void LogCredentialType()
+    {
+        if (Credential.GetType() == typeof(DefaultAzureCredential))
         {
-            logger.LogInformation(
+            _logger.LogInformation(
                 "Using DefaultAzureCredential for provisioning. This may not work in all environments. " +
                 "See https://aka.ms/azsdk/net/identity/credential-chains#defaultazurecredential-overview for more information.");
         }
         else
         {
-            logger.LogInformation("Using {credentialType} for provisioning.", credential.GetType().Name);
+            _logger.LogInformation("Using {credentialType} for provisioning.", Credential.GetType().Name);
         }
-
-        Credential = credential;
     }
-
-    public TokenCredential Credential { get; }
 }

Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,7 @@ private async Task ProvisionAzureResources(`
`219`	`219`	`var userSecretsLazy = new Lazy<Task<JsonObject>>(() => GetUserSecretsAsync(userSecretsPath, cancellationToken));`
`220`	`220`
`221`	`221`	`// Make resources wait on the same provisioning context`
`222`		`- var provisioningContextLazy = new Lazy<Task<ProvisioningContext>>(() => GetProvisioningContextAsync(tokenCredentialHolder.Credential, userSecretsLazy, cancellationToken));`
	`222`	`+ var provisioningContextLazy = new Lazy<Task<ProvisioningContext>>(() => GetProvisioningContextAsync(tokenCredentialHolder, userSecretsLazy, cancellationToken));`
`223`	`223`
`224`	`224`	`var tasks = new List<Task>();`
`225`	`225`
`@@ -366,10 +366,14 @@ async Task PublishConnectionStringAvailableEventAsync()`
`366`	`366`	`}`
`367`	`367`	`}`
`368`	`368`
`369`		`- private async Task<ProvisioningContext> GetProvisioningContextAsync(TokenCredential credential, Lazy<Task<JsonObject>> userSecretsLazy, CancellationToken cancellationToken)`
	`369`	`+ private async Task<ProvisioningContext> GetProvisioningContextAsync(TokenCredentialHolder holder, Lazy<Task<JsonObject>> userSecretsLazy, CancellationToken cancellationToken)`
`370`	`370`	`{`
`371`	`371`	`var subscriptionId = _options.SubscriptionId ?? throw new MissingConfigurationException("An Azure subscription id is required. Set the Azure:SubscriptionId configuration value.");`
`372`	`372`
	`373`	`+ var credential = holder.Credential;`
	`374`	`+`
	`375`	`+ holder.LogCredentialType();`
	`376`	`+`
`373`	`377`	`var armClient = new ArmClient(credential, subscriptionId);`
`374`	`378`
`375`	`379`	`logger.LogInformation("Getting default subscription...");`
Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,12 @@ namespace Aspire.Hosting.Azure.Provisioning;`
`10`	`10`
`11`	`11`	`internal class TokenCredentialHolder`
`12`	`12`	`{`
	`13`	`+ private readonly ILogger<TokenCredentialHolder> _logger;`
	`14`	`+`
`13`	`15`	`public TokenCredentialHolder(ILogger<TokenCredentialHolder> logger, IOptions<AzureProvisionerOptions> options)`
`14`	`16`	`{`
	`17`	`+ _logger = logger;`
	`18`	`+`
`15`	`19`	`// Optionally configured in AppHost appSettings under "Azure" : { "CredentialSource": "AzureCli" }`
`16`	`20`	`var credentialSetting = options.Value.CredentialSource;`
`17`	`21`
`@@ -32,19 +36,22 @@ public TokenCredentialHolder(ILogger<TokenCredentialHolder> logger, IOptions<Azu`
`32`	`36`	`})`
`33`	`37`	`};`
`34`	`38`
`35`		`- if (credential.GetType() == typeof(DefaultAzureCredential))`
	`39`	`+ Credential = credential;`
	`40`	`+ }`
	`41`	`+`
	`42`	`+ public TokenCredential Credential { get; }`
	`43`	`+`
	`44`	`+ internal void LogCredentialType()`
	`45`	`+ {`
	`46`	`+ if (Credential.GetType() == typeof(DefaultAzureCredential))`
`36`	`47`	`{`
`37`		`- logger.LogInformation(`
	`48`	`+ _logger.LogInformation(`
`38`	`49`	`"Using DefaultAzureCredential for provisioning. This may not work in all environments. " +`
`39`	`50`	`"See https://aka.ms/azsdk/net/identity/credential-chains#defaultazurecredential-overview for more information.");`
`40`	`51`	`}`
`41`	`52`	`else`
`42`	`53`	`{`
`43`		`- logger.LogInformation("Using {credentialType} for provisioning.", credential.GetType().Name);`
	`54`	`+ _logger.LogInformation("Using {credentialType} for provisioning.", Credential.GetType().Name);`
`44`	`55`	`}`
`45`		`-`
`46`		`- Credential = credential;`
`47`	`56`	`}`
`48`		`-`
`49`		`- public TokenCredential Credential { get; }`
`50`	`57`	`}`