Support Managed Identity in AzureStorageResource emulator

[lupusbytes]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I am trying to use Aspire to start up my AspNetCore project and emulate all my Azure dependencies for local development.
My goal is to not mix any Aspire dependencies into my production code.
The AppHost project's sole responsibility should be to start all the emulators, replace environment variables for the AspNetCore API so that it will use the emulators and finally start the API.

One issue I'm facing off the bat is that Aspire exposes Azurite endpoints without TLS, making Azure.Identity throw exceptions about using plain HTTP.

Azurite should support HTTPS according to the docs.
azurite --oauth basic --cert path/server.pem --key path/key.pem

My current workaround is to grab the connectionstring and set it as an environment variables from Aspire and then check if it's present in my production code to decide which TableClient constructor I should use.

Example:

Aspire AppHost

var storage = builder
    .AddAzureStorage("storage")
    .RunAsEmulator(azurite =>
    {
        azurite.WithLifetime(ContainerLifetime.Persistent);
        azurite.WithDataVolume("datavol");
    });

var tables = storage.AddTables("tables");

builder.AddProject<Projects.Api>("api")
    .WithReference(tables)
    .WaitFor(storage)
    .WithEnvironment("TableOptions__ConnectionString", tables);

Api Project

public class TableOptions
{
    public Uri TableEndpoint { get; set; }
    public string TableName { get; set; }
    public string ConnectionString { get; set; }
}

public static TableClient Create(
    IServiceProvider serviceProvider,
    TableOptions options) 
    => string.IsNullOrEmpty(options.ConnectionString)
        ? new TableClient(
            options.TableEndpoint,
            options.TableName,
            new DefaultAzureCredential())
        : new TableClient(
            options.ConnectionString,
            options.TableName);

Ideally I should use the same constructor and my production code should not support access keys.

Describe the solution you'd like

Add a method that reflects the Azurite parameter like

var storage = builder
    .AddAzureStorage("storage")
    .RunAsEmulator(azurite =>
    {
        azurite.WithOauth();
    });

or perhaps if it's possible, and you think it's better, to make it work with the existing .WithHttpsEndpoint(...) extension method.

Additional context

No response

[maddymontaquila]

More generically Damian has this problem written out in #6890

[davidfowl]

Are you using the client integration?

[lupusbytes]

More generically Damian has this problem written out in #6890

I'm not sure if HTTPS by itself is enough, the container might still need the --oauth basic argument.

Are you using the client integration?

I'm not sure, but I don't think so. Could you explain what it is or what it would look like?

[davidfowl]

I'm not sure, but I don't think so. Could you explain what it is or what it would look like?

https://learn.microsoft.com/en-us/dotnet/aspire/storage/azure-storage-blobs-integration?tabs=dotnet-cli#client-integration

[lupusbytes]

No I don't use that.

As stated in the OP, one goal is to not use Aspire packages (client integration) in my production code (API).

[davidfowl]

Why? (It's not a problem but I'm curious).