search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4k stars 2.98k forks source link

app configuration with private endpoint not working #24289

Open kousourakis opened 1 year ago

kousourakis commented 1 year ago

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

az --version azure-cli 2.41.0 core 2.41.0 telemetry 1.0.8 Dependencies: msal 1.20.0b1 azure-mgmt-resource 21.1.0b1 Python location '/opt/az/bin/python3' Extensions directory '/home/azureuser/.azure/cliextensions' Python (Linux) 3.10.5 (main, Oct 10 2022, 03:02:09) [GCC 9.4.0]

lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.5 LTS Release: 20.04 Codename: focal

Related command

az appconfig kv show --key "keyname" --endpoint https://appconfig.privatelink.azconfig.io --auth-mode login --debug

Describe the bug

Cannot query app configuration via the private endpoint. If the app configuration's network accept public connections then using the public https domain works fine.

To Reproduce

  1. create an app configuration and a text key value.
  2. make sure you can query it from local machine
  3. create virtual net with a subnet, do not delegate the subnet to any service
  4. create a small ubuntu vm into the subnet created above,
  5. Enable system managed identity on ubuntu vm and add reader role to it's self (used to be able to login using managed identity with azure cli)
  6. add data reader role in app configuration for ubuntu vm
  7. ssh into the ubuntu vm, install azure cli , login with az login --identity and make sure you can query the public app configuration kv
  8. setup a private endpoint for app configuration in the same vnet and subnet as the vm
  9. switch app configuration to private network access (only through private endpoints)
  10. in linux vm clear dns cache and try to query the app config public url (403 while ip still is public from dig output)
  11. in linux vm clear dns cache and try to query the private endpoint (fails with debug message added below)

Expected behavior

it should be able to change the appconfiguration IP to the private one and use it transparently whether using the public app configuration or its private endpoint URL Environment summary

Additional context


cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f53ceb32b00>, <function OutputProducer.on_global_arguments at 0x7f53cea504c0>, <function CLIQuery.on_global_arguments at 0x7f53cea796c0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'appconfig': ['azure.cli.command_modules.appconfig']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: appconfig                 0.004         8        42
cli.azure.cli.core: Total (1)                 0.004         8        42
cli.azure.cli.core: Loaded 8 groups, 42 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : appconfig kv show
cli.azure.cli.core: Command table: appconfig kv show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f53cdc27e20>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/azureuser/.azure/commands/2022-10-19.21-33-29.appconfig_kv_show.4179.log'.
az_command_data_logger: command args: appconfig kv show --key {} --endpoint {} --label {} --auth-mode {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f53cdc48a60>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f53cdc732e0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f53cdc73400>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f53cea50550>, <function CLIQuery.handle_query_parameter at 0x7f53cea79750>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f53cdc73370>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AppConfigurationManagementClient
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 200 1744
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
msrestazure.azure_active_directory: MSI: Token retrieved
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 200 1744
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
msrestazure.azure_active_directory: MSI: Token retrieved
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://appconfig.privatelink.azconfig.io/.default',), kwargs={}
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fappconfig.privatelink.azconfig.io&api-version=2018-02-01 HTTP/1.1" 400 793
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://appconfig.privatelink.azconfig.io', 'api-version': '2018-02-01'}
cli.azure.cli.core.auth.adal_authentication: throw requests.exceptions.HTTPError when doing MSIAuthentication:
Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
    super().set_token()
  File "/opt/az/lib/python3.10/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
    token_entry = self._vm_msi.get_token(self.resource)
  File "/opt/az/lib/python3.10/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
    token_entry = self._retrieve_token_from_imds_with_retry(resource)
  File "/opt/az/lib/python3.10/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
    raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError

cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
    super().set_token()
  File "/opt/az/lib/python3.10/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
    token_entry = self._vm_msi.get_token(self.resource)
  File "/opt/az/lib/python3.10/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
    token_entry = self._retrieve_token_from_imds_with_retry(resource)
  File "/opt/az/lib/python3.10/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
    raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 363, in handler
    show_exception_handler(ex)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/arm.py", line 429, in show_exception_handler
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 361, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/appconfig/keyvalue.py", line 646, in show_key
    key_value = azconfig_client.get_configuration_setting(key=key, label=label, accept_datetime=datetime)
  File "/opt/az/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/appconfiguration/_azure_appconfiguration_client.py", line 256, in get_configuration_setting
    key_value = self._impl.get_key_value(
  File "/opt/az/lib/python3.10/site-packages/azure/appconfiguration/_generated/operations/_azure_app_configuration_operations.py", line 368, in get_key_value
    pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 211, in run
    return first_node.send(pipeline_request)  # type: ignore
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/_base.py", line 71, in send
    response = self.next.send(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/policies/_authentication.py", line 117, in send
    self.on_request(request)
  File "/opt/az/lib/python3.10/site-packages/azure/core/pipeline/policies/_authentication.py", line 94, in on_request
    self._token = self._credential.get_token(*self._scopes)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/auth/adal_authentication.py", line 46, in get_token
    self.set_token()
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/auth/adal_authentication.py", line 85, in set_token
    raise AzureResponseError('Failed to connect to MSI. Please make sure MSI is configured correctly.\n'
azure.cli.core.azclierror.AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request

cli.azure.cli.core.azclierror: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
az_command_data_logger: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f53cdc280d0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 0.624 seconds (init: 0.165, invoke: 0.460)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3380 in cache
telemetry.check: Negative: The /home/azureuser/.azure/telemetry.txt was modified at 2022-10-19 21:30:09.106686, which in less than 600.000000 s```
yonzhan commented 1 year ago

route to CXP team