Vamsi-klu commented on PR #68527:
URL: https://github.com/apache/airflow/pull/68527#issuecomment-4795242862

   Thanks @moomindani for the careful review — both points addressed in the 
latest commit (58b7c4a).
   
   1) Docs: added a Note under the `proxies` extra explaining the relationship 
with HTTP_PROXY / HTTPS_PROXY / NO_PROXY. One correction worth surfacing from 
tracing the code: the paths that do *not* read the proxy env vars are the async 
aiohttp paths, not the Azure Identity ones. The hook builds 
aiohttp.ClientSession() without trust_env=True, so the async REST and 
token-exchange paths ignore HTTP_PROXY/HTTPS_PROXY entirely — the `proxies` 
extra is the only way to proxy them. The sync requests paths and the Azure 
Identity SDK paths (azure-core's transport defaults to use_env_settings=True) 
both honor the env vars by default, and the `proxies` extra takes precedence 
over them when both are set. The Note documents this per client.
   
   2) Comment: added a comment at both ManagedIdentityCredential call sites 
(sync _get_aad_token and async _a_get_aad_token) explaining the exclusion — 
managed identity authenticates against the link-local IMDS endpoint 
(169.254.169.254), which must be reached directly and is unsupported behind a 
proxy, so the `proxies` extra is intentionally not forwarded there, unlike the 
ClientSecretCredential / DefaultAzureCredential paths that reach the public 
Entra ID endpoint. (The IMDS metadata-service call is likewise left unproxied.)
   
   Also added a regression test asserting ManagedIdentityCredential and the 
IMDS metadata call are constructed without `proxies`, while the Databricks REST 
call still receives it — so the asymmetry can't silently regress.
   
   No changelog/newsfragment: providers don't consume newsfragments, and this 
is a docs + comment clarification with a test, no behavior change. Re-ran the 
databricks hook tests (285 passed).
   
   ---
   Drafted-by: Claude Code (Opus 4.8); reviewed by @Vamsi-klu before posting
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to