From 75b912e279e979c262cb30346d90965b37d0f963 Mon Sep 17 00:00:00 2001
From: warren <warren.pitterson1@nhs.net>
Date: Thu, 18 Dec 2025 12:56:36 +0000
Subject: [PATCH] feat: replaced DefaultAzureCredential with
 ManagedIdentityCredential

---
 .../Functions/CaasIntegration/RetrieveMeshFile/Program.cs    | 5 ++---
 .../NemsSubscriptionService/NemsMeshRetrieval/Program.cs     | 4 ++--
 .../Shared/Common/Extensions/AzureQueueExtension.cs          | 4 ++--
 .../Shared/Common/Extensions/ConfigurationExtension.cs       | 2 +-
 .../Functions/Shared/Common/Extensions/JwtTokenExtension.cs  | 4 ++--
 5 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs b/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs
index b708c4637b..7e768799f4 100644
--- a/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs
+++ b/application/CohortManager/src/Functions/CaasIntegration/RetrieveMeshFile/Program.cs
@@ -29,12 +29,12 @@
     {
         // Get CohortManager private key
         logger.LogInformation("Pulling Mesh Certificate from KeyVault");
-        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         var certificate = await certClient.DownloadCertificateAsync(config.MeshKeyName);
         cohortManagerPrivateKey = certificate.Value;
 
         // Get MESH public certificates (CA chain)
-        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         string base64Cert = (await secretClient.GetSecretAsync(config.MeshCertName)).Value.Value;
         meshCerts = CertificateHelper.GetCertificatesFromString(base64Cert);
     }
@@ -82,4 +82,3 @@
     logger.LogCritical(ex, "Failed to start up Function");
 }
 
-
diff --git a/application/CohortManager/src/Functions/NemsSubscriptionService/NemsMeshRetrieval/Program.cs b/application/CohortManager/src/Functions/NemsSubscriptionService/NemsMeshRetrieval/Program.cs
index 396764773d..30ba26dc2d 100644
--- a/application/CohortManager/src/Functions/NemsSubscriptionService/NemsMeshRetrieval/Program.cs
+++ b/application/CohortManager/src/Functions/NemsSubscriptionService/NemsMeshRetrieval/Program.cs
@@ -29,12 +29,12 @@
     {
         // Get CohortManager private key
         logger.LogInformation("Pulling Mesh Certificate from KeyVault");
-        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         var certificate = await certClient.DownloadCertificateAsync(config.NemsMeshKeyName);
         cohortManagerPrivateKey = certificate.Value;
 
         // Get MESH public certificates (CA chain)
-        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+        var secretClient = new SecretClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
         string base64Cert = (await secretClient.GetSecretAsync(config.NemsMeshCertName)).Value.Value;
         meshCerts = CertificateHelper.GetCertificatesFromString(base64Cert);
     }
diff --git a/application/CohortManager/src/Functions/Shared/Common/Extensions/AzureQueueExtension.cs b/application/CohortManager/src/Functions/Shared/Common/Extensions/AzureQueueExtension.cs
index de343f7487..635a782c6f 100644
--- a/application/CohortManager/src/Functions/Shared/Common/Extensions/AzureQueueExtension.cs
+++ b/application/CohortManager/src/Functions/Shared/Common/Extensions/AzureQueueExtension.cs
@@ -27,7 +27,7 @@ public static IHostBuilder AddServiceBusClient(this IHostBuilder hostBuilder, st
                 else
                 {
                     builder.AddServiceBusClientWithNamespace(serviceBusConnectionString)
-                        .WithCredential(new DefaultAzureCredential());
+                        .WithCredential(new ManagedIdentityCredential ());
                 }
             });
             _.AddSingleton<IQueueClient, AzureServiceBusClient>();
@@ -68,7 +68,7 @@ public static IHostBuilder AddKeyedAzureQueues(this IHostBuilder hostBuilder, bo
                         else
                         {
                             builder.AddServiceBusClientWithNamespace(serviceBusConnectionString)
-                                .WithCredential(new DefaultAzureCredential());
+                                .WithCredential(new ManagedIdentityCredential ());
                         }
                     });
                     _.AddKeyedSingleton<IQueueClient, AzureServiceBusClient>(keyName);
diff --git a/application/CohortManager/src/Functions/Shared/Common/Extensions/ConfigurationExtension.cs b/application/CohortManager/src/Functions/Shared/Common/Extensions/ConfigurationExtension.cs
index c2bfa67768..508681a025 100644
--- a/application/CohortManager/src/Functions/Shared/Common/Extensions/ConfigurationExtension.cs
+++ b/application/CohortManager/src/Functions/Shared/Common/Extensions/ConfigurationExtension.cs
@@ -41,7 +41,7 @@ private static IConfiguration CreateConfiguration(string? keyVaultUrl = null, Li
         if(keyVaultUrl != null){
             try
             {
-                configBuilder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential(), new AzureKeyVaultConfigurationOptions());
+                configBuilder.AddAzureKeyVault(new Uri(keyVaultUrl), new ManagedIdentityCredential (), new AzureKeyVaultConfigurationOptions());
             }
             catch (Exception ex)
             {
diff --git a/application/CohortManager/src/Functions/Shared/Common/Extensions/JwtTokenExtension.cs b/application/CohortManager/src/Functions/Shared/Common/Extensions/JwtTokenExtension.cs
index 4019662f33..48ec9c6fbf 100644
--- a/application/CohortManager/src/Functions/Shared/Common/Extensions/JwtTokenExtension.cs
+++ b/application/CohortManager/src/Functions/Shared/Common/Extensions/JwtTokenExtension.cs
@@ -28,11 +28,11 @@ public static IHostBuilder AddJwtTokenSigning(this IHostBuilder hostBuilder, boo
         JwtPrivateKey jwtPrivateKey;
         try
         {
-            // Azure   
+            // Azure
             hostBuilder.AddConfiguration<JwtTokenServiceConfig>(out JwtTokenServiceConfig config);
             if (!string.IsNullOrEmpty(config.KeyVaultConnectionString))
             {
-                var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new DefaultAzureCredential());
+                var certClient = new CertificateClient(vaultUri: new Uri(config.KeyVaultConnectionString), credential: new ManagedIdentityCredential ());
                 Response<X509Certificate2> certResponse = certClient.DownloadCertificate(config.KeyNamePrivateKey);
 
                 logger.LogInformation("got certificate from key vault");