Credentials in Azure Functions, pass one credential around or call as needed?

Question

I have intermittent credential issues in my durable function app.

ManagedIdentityCredential will use App Service managed identity

EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.

DefaultAzureCredential - EnvironmentCredential is unavailable

In each activity I call DefaultAzureCredential

# some activity function
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

def my_func()...

Would it be better to create a credential in my orchestrator, once, and pass it around to my activities? I am also using system assigned identity, so should I use ManagedIdentityCredential instead to avoid the constant checks DefaultAzureCredential does?

from azure.identity import ManagedIdentityCredential
import azure.durable_functions as df


def orchestrator_function(context: df.DurableOrchestrationContext):
    
    # Create the credentials
    credentials = ManagedIdentityCredential()

    # Pass it to my activity instead of my activity creating its own
    activity = yield context.call_activity("my_activity", credentials)
    

Answer 1

Would it be better to create a credential in my orchestrator, once, and pass it around to my activities?

According to my understanding, if your Orchestrator function calls the Activity function multiple times, it is better to pass the Credential in the Orchestrator function; if it is only called once, I think it is the same to create a Credential in the Activity function.

I am also using system assigned identity, so should I use ManagedIdentityCredential instead to avoid the constant checks DefaultAzureCredential does?

If you use System assigned identity, you can directly use ManagedIdentityCredential, because DefaultAzureCredential will check multiple identities until one of them provides a token.

For a better understanding, you can refer to this official document.

EnvironmentCredential is unavailable is caused by DefaultAzureRedential failing to request tokens from EnvironmentCredential, which is the expected result.