secret storage in azure (#4384)

2026-01-03 11:45:05 -08:00
parent 14411a1376
commit 0d1c88f5df
1 changed files with 18 additions and 7 deletions
--- a/skyvern/forge/forge_app.py
+++ b/skyvern/forge/forge_app.py
@@ -196,20 +196,31 @@ def create_forge_app() -> ForgeApp:

    app.AZURE_CLIENT_FACTORY = RealAzureClientFactory()
    app.BITWARDEN_CREDENTIAL_VAULT_SERVICE = BitwardenCredentialVaultService()
-    app.AZURE_CREDENTIAL_VAULT_SERVICE = (
-        AzureCredentialVaultService(
-            app.AZURE_CLIENT_FACTORY.create_from_client_secret(
+
+    # Azure Credential Vault Service
+    # If running a workload on Azure and using workload identity (the common case for AKS or Azure VMs),
+    # use DefaultAzureCredential when a client secret is not provided.
+    # If explicit credentials are configured use ClientSecretCredential instead.
+    if settings.AZURE_CREDENTIAL_VAULT:
+        if settings.AZURE_CLIENT_SECRET:
+            # Explicit client secret authentication
+            azure_vault_client = app.AZURE_CLIENT_FACTORY.create_from_client_secret(
                AzureClientSecretCredential(
                    tenant_id=settings.AZURE_TENANT_ID,  # type: ignore
                    client_id=settings.AZURE_CLIENT_ID,  # type: ignore
                    client_secret=settings.AZURE_CLIENT_SECRET,  # type: ignore
                )
-            ),
+            )
+        else:
+            # Workload Identity / DefaultAzureCredential
+            azure_vault_client = app.AZURE_CLIENT_FACTORY.create_default()
+
+        app.AZURE_CREDENTIAL_VAULT_SERVICE = AzureCredentialVaultService(
+            azure_vault_client,
            vault_name=settings.AZURE_CREDENTIAL_VAULT,  # type: ignore[arg-type]
        )
-        if settings.AZURE_CREDENTIAL_VAULT
-        else None
-    )
+    else:
+        app.AZURE_CREDENTIAL_VAULT_SERVICE = None
    app.CUSTOM_CREDENTIAL_VAULT_SERVICE = (
        CustomCredentialVaultService(
            CustomCredentialAPIClient(