[Azure] Add service principal and DefaultAzureCredential support

[zpoint]

Summary

• Add is_non_cli_credential() and get_credential() to sky/adaptors/azure.py — hybrid credential factory that preserves the existing CLI fast path while adding DefaultAzureCredential for SP/cert/workload identity/managed identity
• Update sky/clouds/azure.py to skip CLI-specific checks (token cache file, az --version) when SP env vars are detected, return empty file mounts, and use client ID as identity
• Update assign_storage_account_iam_role() to handle service principals (looks up SP object ID via Graph API, uses principalType: ServicePrincipal)

How it works

Auth Mode	Local (provisioning)	Remote VM
az login (existing)	AzureCliCredential(timeout=30) fast path	~/.azure/ files mounted
SP env vars (new)	DefaultAzureCredential → EnvironmentCredential	No files mounted, VM uses MSI
Managed Identity	N/A	DefaultAzureCredential → ManagedIdentityCredential

Test plan

• 14 new unit tests in tests/unit_tests/test_azure_utils.py covering all credential paths
• pytest tests/unit_tests/test_azure_utils.py — 23 tests pass
• format.sh — pylint 10.00/10, mypy clean

Manual verification

# SP auth
export AZURE_CLIENT_ID="..." AZURE_CLIENT_SECRET="..." AZURE_TENANT_ID="..." AZURE_SUBSCRIPTION_ID="..."
sky check  # Should show Azure enabled

# CLI auth (backward compat)
unset AZURE_CLIENT_ID AZURE_CLIENT_SECRET AZURE_TENANT_ID AZURE_SUBSCRIPTION_ID
sky check  # Should still work via az login

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances Azure authentication capabilities by integrating Service Principal and DefaultAzureCredential support. The changes enable users to authenticate with Azure using a wider range of methods, making the system more adaptable for automated environments and various identity management strategies, while maintaining backward compatibility with existing Azure CLI setups.

Highlights

• Azure Authentication Flexibility: Introduced support for Azure Service Principals and DefaultAzureCredential, allowing for more flexible authentication methods beyond just the Azure CLI. This enables integration with various identity types like client secrets, certificates, workload identity, and managed identity.
• Hybrid Credential Management: Implemented a hybrid credential factory in sky/adaptors/azure.py that prioritizes the existing Azure CLI fast path (using AzureCliCredential with a timeout workaround) while falling back to DefaultAzureCredential for other authentication scenarios.
• Enhanced Azure Cloud Integration: Updated sky/clouds/azure.py to conditionally skip CLI-specific checks when Service Principal environment variables are detected. It also adjusts credential file mounts and user identity retrieval to align with the chosen authentication method.
• Service Principal IAM Role Assignment: Modified the assign_storage_account_iam_role() function to correctly handle Service Principals by looking up their object ID via the Graph API and using principalType: ServicePrincipal for role assignments.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for Azure Service Principal and DefaultAzureCredential, which is a valuable enhancement for non-interactive authentication. The implementation across sky/adaptors/azure.py and sky/clouds/azure.py is solid, and the addition of extensive unit tests is commendable. I have identified a couple of areas for improvement: a minor code duplication in sky/adaptors/azure.py that could be refactored, and a couple of unit tests in tests/unit_tests/test_azure_utils.py that don't correctly test the intended functionality. My detailed comments and suggestions are provided below.

[gemini-code-assist]

This test doesn't seem to be testing the azure.get_credential() function. It directly calls identity.AzureCliCredential() and then asserts that the mock was called, which is a tautology. The test should call azure.get_credential() to verify its behavior.

        mock_identity = mock.MagicMock()
        with mock.patch.dict('sys.modules', {'azure.identity': mock_identity}):
            azure.get_credential()
            mock_identity.AzureCliCredential.assert_called_with(
                process_timeout=30)

[zpoint]

Fixed. The tests now call azure.get_credential() instead of directly calling the mock. See updated test_cli_fast_path.

[gemini-code-assist]

Similar to test_cli_fast_path, this test doesn't call the function under test, azure.get_credential(). It directly calls identity.DefaultAzureCredential() and asserts the mock was called. To correctly test the logic in azure.get_credential(), you should call it within the test.

        mock_identity = mock.MagicMock()
        with mock.patch.dict('sys.modules', {'azure.identity': mock_identity}):
            azure.get_credential()
            mock_identity.DefaultAzureCredential.assert_called_with(
                exclude_cli_credential=True, exclude_powershell_credential=True)

[zpoint]

Fixed. Same as above — test_non_cli_default_credential now calls azure.get_credential() instead of directly calling the mock.

[gemini-code-assist]

The logic for getting or creating an asyncio event loop is duplicated in both the if and else blocks (lines 419-423 and 453-457). To improve code clarity and reduce redundancy, you could move this logic to before the if is_non_cli_credential(): condition.

[zpoint]

Fixed. Hoisted the event loop creation and graph_client = get_client('graph') above the if is_non_cli_credential(): branch to remove duplication.

[zpoint]

The PR comment says the server account has higher priority than the CLI, but in the code it seems to be reversed?

[zpoint]

Good catch. Fixed — reversed the priority so that service principal (via is_non_cli_credential() / AZURE_CLIENT_ID env var) takes priority over CLI credentials. This is consistent with how AWS and GCP work: env-var-based service account credentials always take priority over personal CLI credentials.

[zpoint]

Do we need to use async here? The question is: we only use FastAPI to serve the Sky server, and this part doesn't seem to be part of the endpoint, so is blocking a concern here? We should follow the project's code pattern rather than reuse existing code if the existing code doesn't follow it.

[zpoint]

The async usage here is forced by the msgraph SDK — graph_client.service_principals.get() and graph_client.users.with_url(...).get() return coroutines, so we need loop.run_until_complete() to call them from sync code. The existing else branch (user identity path, pre-existing code) already uses the same async pattern for the same reason. Unfortunately the msgraph SDK doesn't offer a sync API alternative.