adding option to specify client_id for MSI

sdk/identity/src/token_credentials/default_credentials.rs

@@ -58,7 +58,7 @@ impl DefaultAzureCredentialBuilder {
         }
         if self.include_managed_identity_credential {
             sources.push(DefaultAzureCredentialEnum::ManagedIdentity(
-                ImdsManagedIdentityCredential {},
+                ImdsManagedIdentityCredential::default(),
             ))
         }
         if self.include_cli_credential {
@@ -142,7 +142,9 @@ impl Default for DefaultAzureCredential {
         DefaultAzureCredential {
             sources: vec![
                 DefaultAzureCredentialEnum::Environment(EnvironmentCredential::default()),
-                DefaultAzureCredentialEnum::ManagedIdentity(ImdsManagedIdentityCredential {}),
+                DefaultAzureCredentialEnum::ManagedIdentity(
+                    ImdsManagedIdentityCredential::default(),
+                ),
                 DefaultAzureCredentialEnum::AzureCli(AzureCliCredential {}),
             ],
         }

sdk/identity/src/token_credentials/imds_managed_identity_credentials.rs

@@ -18,7 +18,27 @@ const MSI_API_VERSION: &str = "2019-08-01";
 /// This authentication type works in Azure VMs, App Service and Azure Functions applications, as well as the Azure Cloud Shell
 ///
 /// Built up from docs at [https://docs.microsoft.com/azure/app-service/overview-managed-identity#using-the-rest-protocol](https://docs.microsoft.com/azure/app-service/overview-managed-identity#using-the-rest-protocol)
-pub struct ImdsManagedIdentityCredential;
+#[derive(Default)]
+pub struct ImdsManagedIdentityCredential {
+    object_id: Option<String>,
+    client_id: Option<String>,
+    mi_res_id: Option<String>,
+}
+
+impl ImdsManagedIdentityCredential {
+    /// Create a new ImdsManagedIdentityCredential with the given optional parameters. Only one of object_id, client_id and mi_res_id may be set.
+    pub fn new(
+        object_id: Option<String>,
+        client_id: Option<String>,
+        mi_res_id: Option<String>,
+    ) -> Self {
+        Self {
+            object_id,
+            client_id,
+            mi_res_id,
+        }
+    }
+}
 
 #[allow(missing_docs)]
 #[non_exhaustive]
@@ -39,6 +59,8 @@ pub enum ManagedIdentityCredentialError {
     IdentityUnavailableError,
     #[error("The request failed due to a gateway error.")]
     GatewayError,
+    #[error("Only one of object_id, client_id, and mi_res_id may be specified on a request to get a token.")]
+    MoreThanOneIdParameterSpecified,
 }
 
 #[async_trait::async_trait]
@@ -49,7 +71,20 @@ impl TokenCredential for ImdsManagedIdentityCredential {
         let msi_endpoint = std::env::var(MSI_ENDPOINT_ENV_KEY)
             .unwrap_or_else(|_| "http://169.254.169.254/metadata/identity/oauth2/token".to_owned());
 
-        let query_items = vec![("api-version", MSI_API_VERSION), ("resource", resource)];
+        let mut query_items = vec![("api-version", MSI_API_VERSION), ("resource", resource)];
+
+        match (
+            self.object_id.as_ref(),
+            self.client_id.as_ref(),
+            self.mi_res_id.as_ref(),
+        ) {
+            (Some(object_id), None, None) => query_items.push(("object_id", object_id)),
+            (None, Some(client_id), None) => query_items.push(("client_id", client_id)),
+            (None, None, Some(mi_res_id)) => query_items.push(("mi_res_id", mi_res_id)),
+            _ => {
+                return Err(ManagedIdentityCredentialError::MoreThanOneIdParameterSpecified);
+            }
+        }
 
         let msi_endpoint_url = Url::parse_with_params(&msi_endpoint, &query_items)
             .map_err(ManagedIdentityCredentialError::MsiEndpointParseUrlError)?;