feat: Update AzureStorageConfig to use Managed Identity and enhance deploy script for network ACL handling

Author: emmanuelknafo

sample-app/api/src/main/java/com/example/evidence/config/AzureStorageConfig.java

@@ -1,6 +1,8 @@
 package com.example.evidence.config;
 
+import com.azure.core.credential.TokenCredential;
 import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.ManagedIdentityCredentialBuilder;
 import com.azure.storage.file.datalake.DataLakeServiceClient;
 import com.azure.storage.file.datalake.DataLakeServiceClientBuilder;
 import org.springframework.beans.factory.annotation.Value;
@@ -10,14 +12,20 @@
 
 /**
  * Builds a DataLakeServiceClient for ADLS Gen2 using a Managed Identity
- * (or Azure CLI / dev credential) via DefaultAzureCredential. Shared keys
- * are disabled on the target storage account; all auth flows through Entra
- * ID + Storage Blob Data Contributor RBAC.
+ * (or Azure CLI / dev credential). Shared keys are disabled on the target
+ * storage account; all auth flows through Entra ID + Storage Blob Data
+ * Contributor RBAC.
  *
  * The endpoint targets *.dfs.core.windows.net which, from inside the VNet,
  * resolves to the Private Endpoint NIC IP via the privatelink.dfs.* DNS
  * zone. From outside the VNet (e.g. local dev), the public DFS endpoint is
  * used and access is gated by the storage networkAcls.
+ *
+ * When running in App Service we pin to ManagedIdentityCredential to
+ * avoid the DefaultAzureCredential chain falling back to a stale or wrong
+ * principal (the chain has logged "EnvironmentCredential unavailable"
+ * before failing over). The presence of the IDENTITY_ENDPOINT environment
+ * variable is the standard signal that an MI endpoint is available.
  */
 @Configuration
 @Profile("!dev")
@@ -30,7 +38,14 @@ public class AzureStorageConfig {
     public DataLakeServiceClient dataLakeServiceClient() {
         return new DataLakeServiceClientBuilder()
             .endpoint("https://" + accountName + ".dfs.core.windows.net")
-            .credential(new DefaultAzureCredentialBuilder().build())
+            .credential(buildCredential())
             .buildClient();
     }
+
+    private TokenCredential buildCredential() {
+        if (System.getenv("IDENTITY_ENDPOINT") != null) {
+            return new ManagedIdentityCredentialBuilder().build();
+        }
+        return new DefaultAzureCredentialBuilder().build();
+    }
 }

scripts/deploy.ps1

@@ -344,7 +344,20 @@ if (-not $SkipUpload) {
 
     # The CLI's storage commands work transparently against HNS-enabled
     # accounts. We use --auth-mode login so no shared keys leave the
-    # workstation. RBAC + IP allow-list were both granted in Step 3.
+    # workstation. RBAC was granted in Step 3. The IP allow-list set by
+    # Step 3 is unreliable when the workstation egresses through a NAT
+    # pool with multiple public IPs (corporate network, Wi-Fi tethering),
+    # so we briefly flip the storage networkAcls.defaultAction to Allow
+    # for the duration of the upload, then Step 10 sets it back to Deny
+    # along with publicNetworkAccess=Disabled.
+    Write-Host '    Temporarily setting storage networkAcls.defaultAction=Allow for the seed upload'
+    az storage account update `
+        --resource-group $ResourceGroup `
+        --name $storageAccountName `
+        --default-action Allow `
+        --output none
+    Start-Sleep -Seconds 10
+
     for ($i = 1; $i -le 6; $i++) {
         az storage container create `
             --account-name $storageAccountName `