Closed andreygoran closed 11 months ago
The values can be number or string. If you check the official adal go library, you can see how they parse the payload
Hi @northtyphoon,
According to documentation https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows#schema:
In json responses, all primitives will be of type string, and missing or inapplicable values are always included but will be set to an empty string.
From the client's point of view, all Managed Identity endpoints (http://169.254.169.254/metadata/identity/oauth2/token) are the same service, no matter if called from a VM, Container Instance, or Container Registry Task. So it would be logical to return data in the same format. Which is actually also documented here:
@andreygoran we have deployed a fix to change the property to string. Can you try it again?
@andreygoran we have deployed a fix to change the property to string. Can you try it again?
I tested it, and it is fixed now. Thank you!
Description
ACR Tasks can be created with --assign-identity flag so that Managed Identity is used when running the tasks:
When access token is pulled from the running task, the JSON format is not consistent with the format used in other Azure services (such as VMs, container instances, etc) which is described here:
Access token pulled from a VM:
Access token pulled from a running ACR Tasks:
The problem is that
expires_in
,expires_on
,not_before
values are NOT strings and this breaks tools that rely on using managed identity because they cannot parse JSON.Packer by HashiCorp is one example of a tool that crashes because of this inconsistency:
To Reproduce