search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.99k forks source link

`az login` with managed identity indicating system assigned when the identity is user assigned #13188

Closed jiasli closed 4 months ago

jiasli commented 4 years ago

Symptom

When using a single user assigned identity for az login --identity, it says the logged in user is a system assigned identity.

The default identity is the identity returned when the client_id, object_id and mi_res_id parameters are not provided to IMDS. This will be the system assigned identity when present but can also be a user assigned identity if

az login is assuming the default identity used is a system assigned even if it is a user assigned.

The system identity is off since the creation of the VM, but each time I use the command I got the following:

C:\Users\xxx>az login --identity --allow-no-subscriptions
[
    {
        "environmentName": "AzureCloud",
        "id": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "isDefault": true,
        "name": "N/A(tenant level account)",
        "state": "Enabled",
        "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "user": {
            "assignedIdentityInfo": "MSI",
            "name": "systemAssignedIdentity",
            "type": "servicePrincipal"
        }
    }
]

Explanation

In the current implementation, identity type is deduced from whether identity_id is provided. When you run az login --identity without --username, CLI will assume it is a system assigned identity, instead of confirming from the response.

https://github.com/Azure/azure-cli/blob/764332b65bd8758696df36921084c033d82e5ff9/src/azure-cli-core/azure/cli/core/_profile.py#L357

Solution

Extract the resource ID of managed identity from the access token's xms_mirid property to decide the correct type of managed identity.

Get the access token with 

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s

Then decode the access token with https://jwt.ms/.

System assigned identity:

{
    "typ": "JWT",
    "alg": "RS256",
    "x5t": "CtTuhMJmD5M7DLdzD2v2x3QKSRY",
    "kid": "CtTuhMJmD5M7DLdzD2v2x3QKSRY"
}.{
    "aud": "https://management.azure.com/",
    "iss": "https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/",
    "iat": 1587900154,
    "nbf": 1587900154,
    "exp": 1587986854,
    "aio": "42dgYFhc1v3ggcLvV4t8mxum2/zsBwA=",
    "appid": "60f3ea3e-db59-49b9-864d-ff246e75054a",
    "appidacr": "2",
    "idp": "https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/",
    "oid": "e9c36f6d-c861-4504-81c2-9f0b836ffc00",
    "sub": "e9c36f6d-c861-4504-81c2-9f0b836ffc00",
    "tid": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "uti": "FfhIaNiGeEWR1gCIjxluAA",
    "ver": "1.0",
    "xms_mirid": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourcegroups/vm2rg/providers/Microsoft.Compute/virtualMachines/vm2"
}.[Signature]

User assigned identity:

{
    "typ": "JWT",
    "alg": "RS256",
    "x5t": "CtTuhMJmD5M7DLdzD2v2x3QKSRY",
    "kid": "CtTuhMJmD5M7DLdzD2v2x3QKSRY"
}.{
    "aud": "https://management.azure.com/",
    "iss": "https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/",
    "iat": 1587898513,
    "nbf": 1587898513,
    "exp": 1587985213,
    "aio": "42dgYJg869K2p1qv5XwFHexnlVs3AgA=",
    "appid": "eecb2419-a29d-4580-a92a-f6a7b7b71300",
    "appidacr": "2",
    "idp": "https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/",
    "oid": "27c363a5-7016-4ae0-8540-818ec05673f1",
    "sub": "27c363a5-7016-4ae0-8540-818ec05673f1",
    "tid": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "uti": "d3wYPkYPx0GmBRdThHBHAA",
    "ver": "1.0",
    "xms_mirid": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourcegroups/winrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myid"
}.[Signature]

Additional information

Email: az login on VM indicating system assigned when the identity is user assigned

yonzhan commented 4 years ago

az login with MSI

yonzhan commented 4 years ago

add to S170

mitchdenny commented 3 years ago

Is this still and issue. I'm observing this behavior still.

jiasli commented 3 years ago

Azure CLI still uses msrestazure for managed identity login. We will fix this issue after we migrate to MSAL (https://github.com/Azure/azure-cli/issues/18944).

kingsleyadam commented 2 years ago

With #18944 being complete, any word on this issue? Our example is a requirement on both user and system assigned identities assigned but we want to default to user assigned.

jiasli commented 2 years ago

With #18944 being complete, any word on this issue?

Apologize for the delay as we don't have enough bandwidth revisiting this historical issue for now. 😥

Our example is a requirement on both user and system assigned identities assigned but we want to default to user assigned.

I don't think this is possible. When both system and user assigned identity are available, managed identity endpoint will return system assigned one by default.

bgavrilMS commented 4 months ago

Recommendation is to explicitly declare a user assigned identity and use its client id.

Do not rely on the system choosing the "only 1" identity. It is a brittle experience, which will break the moment a new user assigned identity or a system assigned identity is broken.

We (SDK and service teams) are actively looking for how to deprecate this behavior.

@jiasli - please close this as "won't fix"

jiasli commented 4 months ago

More context provided by MSAL developer @rayluo:

  1. That is the underlying behavior baked into Azure VM's endpoint (but not on any other flavors of Managed Identities). I left a trace here in MSAL code base, which points to Azure VM's official documentation. We do not like it or advertise it, but, that behavior on the endpoint layer will probably stay forever, until/unless we drop that endpoint and switch to Managed Identity v2 in the future.

  2. With our programming model of encouraging/enforcing the choice between SAMI and UAMI, we at least conceptually guide app developers to make that decision upfront. So, when app developer wants to use the only UAMI on their VM, they are expected to create a UAMI with its client_id. They are not supposed to use SAMI. There is no DefaultManagedIdentity concept here. There will be no ambiguity in this usage pattern. Of course, nothing stops app developer from knowing #1 and then purposely (ab)use our SAMI interface to get a token that is actually for the UAMI. But we (MSAL) did our part.