search

Azure / CloudShell

Container Image for Azure Cloud Shell (https://azure.microsoft.com/en-us/features/cloud-shell/)
https://shell.azure.com
MIT License
256 stars 105 forks source link

[BUG] Audience https://containerregistry.azure.net is not a supported MSI token audience #484

Open tkishel opened 2 months ago

tkishel commented 2 months ago

To Reproduce

Using the Azure Python SDK, this succeeds locally, but fails in CloudShell:

from azure.mgmt.containerregistry import ContainerRegistryManagementClient

azure_credential  = DefaultAzureCredential()
azure_base_url = AZURE_PUBLIC_CLOUD.endpoints.resource_manager
azure_credential_scopes = [AZURE_PUBLIC_CLOUD.endpoints.resource_manager + '.default']

registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Observed Behavior

CloudShellCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported Message: Audience https://containerregistry.azure.net is not a supported MSI token audience. ManagedIdentityCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported

Message: Audience https://containerregistry.azure.net is not a supported MSI token audience.

Assuming because the SDK eventually calls:

curl http://localhost:50342/oauth2/token --data "resource=https://containerregistry.azure.net/" -H Metadata:true -s

{"error":{"code":"AudienceNotSupported","message":"Audience https://containerregistry.azure.net/ is not a supported MSI token audience."}}

Expected behavior

These methods should succeed in CloudShell as well as locally:

registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Is this specific to Cloud Shell?

Yes, the same code succeeds locally.

Interface information

Accessing Cloud Shell via https://portal.azure.com Chrome Version 128.0.6613.120 (Official Build) (arm64) OSK

Additional context

Similar to: https://github.com/Azure/CloudShell/issues/109

mbifeld commented 2 months ago

Looks like Cloud Shell is missing the specific MSI token needed here. Will be looking at designs that cover this and other MSI token issues. Thank you for reporting this bug,