Local dev using real Azure Managed Identity tokens (via local IMDS + OIDC)

[simongottschlag]

I’ve been experimenting with Aspire and I really like it as a clean way to launch a local development environment. I can also see solid use cases for running tests with it. I’m still undecided on deployment, but I’m evaluating how it could fit into a broader setup.

While trying it out, I ended up going a bit off the beaten path - I wanted a local IMDS and a local OpenID Provider that I could package and reuse (so not just a one-off project). After some experimentation, I got a working setup. I’m not even sure running the ASP.NET Web Application host like this is “intended”, but it works for my needs.

That led to an idea I’d like feedback on:

Idea

Enable developers to run apps locally while still authenticating as their cloud Managed Identities.

Concretely: by running a local IMDS endpoint and using service principal impersonation, the local app could receive a valid access token for a real User Assigned Managed Identity. That would make local testing against resources like Azure Key Vault and Azure SQL behave much closer to production than most current approaches (env vars, dev credentials, mock tokens etc).

I’ve already built most of the building blocks, so the remaining work is mainly wiring it together into something usable.

Questions for the community

1. Would you use something like this? In what scenarios does it actually help you?
2. Does this solve a real pain point vs existing approaches (Azure CLI creds, test resources and mocks)?
3. What should the scope be?
   Just “local IMDS for MI tokens” or also local OIDC provider for broader Aspire or dev tooling integration?
4. Any obvious “don’t do this” reasons I might be missing (or better alternatives)?

If there’s interest and it seems responsible to do, I’m happy to turn it into a small packaged tool or reference implementation.

Thanks - I’m mainly trying to figure out whether this is genuinely useful or just something that’s technically possible.