Skip to content

Add support for Azure US Government #73

New issue
New issue
Open
Open
Add support for Azure US Government#73
Labels
enhancementNew feature or request
@glayton-clarity

Description

@glayton-clarity
glayton-clarity
opened on Jun 5, 2025

What problem are you facing?

When using function-azresourcegraph with credentials for Azure US Government, the function attempts to query the public Azure Resource Graph endpoint (management.azure.com). This results in an error because the Azure Government subscription ID is not recognized by the public Azure endpoint.

The error observed is:

{
  "error": {
    "code": "BadRequest",
    "message": "Please provide below info when asking for support: timestamp = [...], correlationId = [...].",
    "details": [
      {
        "code": "NoValidSubscriptionsInQueryRequest",
        "message": "There must be at least one subscription that is eligible to contain resources. Given: '[AzureGovernmentSubscriptionID]'."
      }
    ]
  }
}

This happens because the Azure SDK clients (azidentity.ClientSecretCredential and armresourcegraph.Client) within the function are initialized without specific options to target the public Azure Public Cloud, even if the associated Crossplane ProviderConfig specifies a different environment (e.g., usgovernment).

How could this Function help solve your problem?

If function-azresourcegraph could correctly use the endpoints for different Azure environments like Azure US Government, it would work for us without needing custom changes.

A good way to achieve this would be for the function to use the specific endpoint URLs that are often included in the credential files for environments like Azure US Government. These credential files (e.g., from az ad sp create-for-rbac --sdk-auth) can contain:

  • activeDirectoryEndpointUrl (e.g., https://login.microsoftonline.us)
  • resourceManagerEndpointUrl (e.g., https://management.usgovcloudapi.net/)

If the function read these URLs from the credentials it's given and used them to configure the AuthorityHost for azidentity.ClientSecretCredentialOptions and the cloud/service endpoint for arm.ClientOptions (used by armresourcegraph.Client), it should then connect to the correct Azure environment.

This would allow the function to be used in Azure US Government and similar Azure environments directly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions