search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

create federated identity in WSL-ubuntu got invisible char in OIDCURL #26942

Open dante159753 opened 1 year ago

dante159753 commented 1 year ago

Describe the bug

when create federated identity in wsl using az cli from windows, it insert invisible '\r' into OIDCUrl, makes the auth failed with 70021

Related command

INFRA_UAI_NAME="yz-image-mgmt07-uai"
INFRA_UAI_RG="yz-image-mgmt07-rg"
MGMT_RG="rpaas061901"
MGMT_NAME="rpaas061901"

az account set -s "ASZ_HybridAKS_Dev"
echo "load AKS_OIDC_ISSUER from mgmt aks"
AKS_OIDC_ISSUER="$(az aks show -n $MGMT_NAME -g $MGMT_RG --query "oidcIssuerProfile.issuerUrl" -otsv)"
echo "AKS_OIDC_ISSUER=${AKS_OIDC_ISSUER}"

az account set -s "ASZ_HybridAKS_POC_dev"
INFRA_UAI_FED_IMAGE_NAME="yztestfedid"
IMAGE_ACCOUNT_SUBJECT="system:serviceaccount:image-mgmt:image-mgmt-controller-manager"
az identity federated-credential create \
  --name "${INFRA_UAI_FED_IMAGE_NAME}" \
  --identity-name "${INFRA_UAI_NAME}" \
  --resource-group "${INFRA_UAI_RG}" \
  --issuer "${AKS_OIDC_ISSUER}" \
  --subject "${IMAGE_ACCOUNT_SUBJECT}" \
  --audience api://AzureADTokenExchange

Errors


load AKS_OIDC_ISSUER from mgmt aks
AKS_OIDC_ISSUER=https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/
{
  "audiences": [
    "api://AzureADTokenExchange"
  ],
  "id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
  "issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
  "name": "yztestfedid",
  "resourceGroup": "yz-image-mgmt07-rg",
  "subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
  "systemData": null,
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

Issue script & Debug output

$ az identity federated-credential create --name "${INFRA_UAI_FED_IMAGE_NAME}" --identity-name "${INFRA_UAI_NAME}" --resource-group "${INFRA_UAI_RG}" --issuer "${AKS_OIDC_ISSUER}" --subject "${IMAGE_ACCOUNT_SUBJECT}" --audience api://AzureADTokenExchange --debug cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'yztestfedid', '--identity-nam e', 'yz-image-mgmt07-uai', '--resource-group', 'yz-image-mgmt07-rg', '--issuer', 'https://eastus.oic.prod-aks.azure.com/7 2f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r', '--subject', 'system:serviceaccount:image-m gmt:image-mgmt-controller-manager', '--audience', 'api://AzureADTokenExchange', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x019CB460>, <fu nction OutputProducer.on_global_arguments at 0x01CFD6A0>, <function CLIQuery.on_global_arguments at 0x01D182F8>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: identity 0.008 2 11 cli.azure.cli.core: Total (1) 0.008 2 11 cli.azure.cli.core: Loaded 2 groups, 11 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : identity federated-credential create cli.azure.cli.core: Command table: identity federated-credential create cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03D CB460>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\wangya.azure\commands\2023-07-19 .19-45-56.identity_federated-credential_create.15236.log'. az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group {} --issuer {} --subject {} --audience {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subs cription_parameter at 0x03E18898>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03E18A48>, <function register_cache_arguments..add_cache_arguments at 0x03E18AD8>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01CFD6E8>, <fu nction CLIQuery.handle_query_parameter at 0x01D18340>, <function register_ids_argument..parse_ids_arguments at 0x 03E18A90>] cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ManagedServiceIdentityClient cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\wangya\.azure\msal_token_cache.bin', encry pt=True cli.azure.cli.core.auth.binary_cache: load: C:\Users\wangya.azure\msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db4 7/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_b asic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'respon se_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_v alues_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes _supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1 -41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.co m/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth 2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db 47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoin t': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'clou d_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.c om', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? False cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.d efault',), kwargs={} cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.def ault',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: 8507bda4-0bad-49f2-ad5a-af168137618c cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3 292f6/resourceGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/fe deratedIdentityCredentials/yztestfedid?api-version=2023-01-31' cli.azure.cli.core.sdk.policies: Request method: 'PUT' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' cli.azure.cli.core.sdk.policies: 'Content-Length': '266' cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8d69a198-26a7-11ee-b394-00155d349f00' cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --au dience --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.50.0 azsdk-python-azure-mgmt-msi/7.0.0 Python/3.10.10 (Win dows-10-10.0.19045-SP0)' cli.azure.cli.core.sdk.policies: 'Authorization': '*****' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: {"properties": {"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab -2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controlle r-manager", "audiences": ["api://AzureADTokenExchange"]}} urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourc eGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdenti tyCredentials/yztestfedid?api-version=2023-01-31 HTTP/1.1" 201 581 cli.azure.cli.core.sdk.policies: Response status: 201 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Content-Length': '581' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'Location': '/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-i mage-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredential s/yztestfedid' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20230720T024558Z:9760f3cf-2e3e-426f-a8de-38992a6f f858' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 20 Jul 2023 02:45:58 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt0 7-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfe did","name":"yztestfedid","type":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials","propert ies":{"issuer":"https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b 08af4d/\r","subject":"system:serviceaccount:image-mgmt:image-mgmt-controller-manager","audiences":["api://AzureADTokenExc hange"]}} cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x03DF0C88>, <function _x5 09_from_base64_to_hex_transform at 0x03DF0CD0>] cli.knack.cli: Event: CommandInvoker.OnFilterResult [] { "audiences": [ "api://AzureADTokenExchange" ], "id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid", "issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a f4d/\r", "name": "yztestfedid", "resourceGroup": "yz-image-mgmt07-rg", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager", "systemData": null, "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials" } cli.knack.cli: Event: Cli.SuccessfulExecute [] cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03DCB580>] az_command_data_logger: exit code: 0 cli.main: Command ran in 2.519 seconds (init: 0.688, invoke: 1.831) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3378 in cache telemetry.check: Negative: The C:\Users\wangya.azure\telemetry.txt was modified at 2023-07-19 19:43:05.626410, which in less than 600.000000 s

Expected behavior

do not insert \r into oidcUrl

Environment Summary

az --version azure-cli 2.50.0

core 2.50.0 telemetry 1.0.8

Dependencies: msal 1.22.0 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\wangya.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

Issue Details
### Describe the bug when create federated identity in wsl using az cli from windows, it insert invisible '\r' into OIDCUrl, makes the auth failed with 70021 ### Related command ``` INFRA_UAI_NAME="yz-image-mgmt07-uai" INFRA_UAI_RG="yz-image-mgmt07-rg" MGMT_RG="rpaas061901" MGMT_NAME="rpaas061901" az account set -s "ASZ_HybridAKS_Dev" echo "load AKS_OIDC_ISSUER from mgmt aks" AKS_OIDC_ISSUER="$(az aks show -n $MGMT_NAME -g $MGMT_RG --query "oidcIssuerProfile.issuerUrl" -otsv)" echo "AKS_OIDC_ISSUER=${AKS_OIDC_ISSUER}" az account set -s "ASZ_HybridAKS_POC_dev" INFRA_UAI_FED_IMAGE_NAME="yztestfedid" IMAGE_ACCOUNT_SUBJECT="system:serviceaccount:image-mgmt:image-mgmt-controller-manager" az identity federated-credential create \ --name "${INFRA_UAI_FED_IMAGE_NAME}" \ --identity-name "${INFRA_UAI_NAME}" \ --resource-group "${INFRA_UAI_RG}" \ --issuer "${AKS_OIDC_ISSUER}" \ --subject "${IMAGE_ACCOUNT_SUBJECT}" \ --audience api://AzureADTokenExchange ``` ### Errors ``` load AKS_OIDC_ISSUER from mgmt aks AKS_OIDC_ISSUER=https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/ { "audiences": [ "api://AzureADTokenExchange" ], "id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid", "issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a f4d/\r", "name": "yztestfedid", "resourceGroup": "yz-image-mgmt07-rg", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager", "systemData": null, "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials" } ``` ### Issue script & Debug output $ az identity federated-credential create --name "${INFRA_UAI_FED_IMAGE_NAME}" --identity-name "${INFRA_UAI_NAME}" --resource-group "${INFRA_UAI_RG}" --issuer "${AKS_OIDC_ISSUER}" --subject "${IMAGE_ACCOUNT_SUBJECT}" --audience api://AzureADTokenExchange --debug cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'yztestfedid', '--identity-nam e', 'yz-image-mgmt07-uai', '--resource-group', 'yz-image-mgmt07-rg', '--issuer', 'https://eastus.oic.prod-aks.azure.com/7 2f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r', '--subject', 'system:serviceaccount:image-m gmt:image-mgmt-controller-manager', '--audience', 'api://AzureADTokenExchange', '--debug'] cli.knack.cli: __init__ debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [, , ] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: identity 0.008 2 11 cli.azure.cli.core: Total (1) 0.008 2 11 cli.azure.cli.core: Loaded 2 groups, 11 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : identity federated-credential create cli.azure.cli.core: Command table: identity federated-credential create cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\wangya\.azure\commands\2023-07-19 .19-45-56.identity_federated-credential_create.15236.log'. az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group {} --issuer {} --subject {} --audience {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [.add_subs cription_parameter at 0x03E18898>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [.add_ids_arguments at 0x03E18A48>, .add_cache_arguments at 0x03E18AD8>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [, , .parse_ids_arguments at 0x 03E18A90>] cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ManagedServiceIdentityClient cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\wangya\\.azure\\msal_token_cache.bin', encry pt=True cli.azure.cli.core.auth.binary_cache: load: C:\Users\wangya\.azure\msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db4 7/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_b asic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'respon se_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_v alues_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes _supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1 -41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.co m/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth 2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db 47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoin t': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'clou d_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.c om', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? False cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.d efault',), kwargs={} cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.def ault',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: 8507bda4-0bad-49f2-ad5a-af168137618c cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3 292f6/resourceGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/fe deratedIdentityCredentials/yztestfedid?api-version=2023-01-31' cli.azure.cli.core.sdk.policies: Request method: 'PUT' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' cli.azure.cli.core.sdk.policies: 'Content-Length': '266' cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8d69a198-26a7-11ee-b394-00155d349f00' cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --au dience --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.50.0 azsdk-python-azure-mgmt-msi/7.0.0 Python/3.10.10 (Win dows-10-10.0.19045-SP0)' cli.azure.cli.core.sdk.policies: 'Authorization': '*****' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: {"properties": {"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab -2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controlle r-manager", "audiences": ["api://AzureADTokenExchange"]}} urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourc eGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdenti tyCredentials/yztestfedid?api-version=2023-01-31 HTTP/1.1" 201 581 cli.azure.cli.core.sdk.policies: Response status: 201 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Content-Length': '581' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'Location': '/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-i mage-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredential s/yztestfedid' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20230720T024558Z:9760f3cf-2e3e-426f-a8de-38992a6f f858' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 20 Jul 2023 02:45:58 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt0 7-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfe did","name":"yztestfedid","type":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials","propert ies":{"issuer":"https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b 08af4d/\r","subject":"system:serviceaccount:image-mgmt:image-mgmt-controller-manager","audiences":["api://AzureADTokenExc hange"]}} cli.knack.cli: Event: CommandInvoker.OnTransformResult [, ] cli.knack.cli: Event: CommandInvoker.OnFilterResult [] { "audiences": [ "api://AzureADTokenExchange" ], "id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid", "issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a f4d/\r", "name": "yztestfedid", "resourceGroup": "yz-image-mgmt07-rg", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager", "systemData": null, "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials" } cli.knack.cli: Event: Cli.SuccessfulExecute [] cli.knack.cli: Event: Cli.PostExecute [] az_command_data_logger: exit code: 0 cli.__main__: Command ran in 2.519 seconds (init: 0.688, invoke: 1.831) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3378 in cache telemetry.check: Negative: The C:\Users\wangya\.azure\telemetry.txt was modified at 2023-07-19 19:43:05.626410, which in less than 600.000000 s ### Expected behavior do not insert \r into oidcUrl ### Environment Summary az --version azure-cli 2.50.0 core 2.50.0 telemetry 1.0.8 Dependencies: msal 1.22.0 azure-mgmt-resource 23.1.0b2 Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\wangya\.azure\cliextensions' Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)] Legal docs and information: aka.ms/AzureCliLegal Your CLI is up-to-date. ### Additional context _No response_
Author: dante159753
Assignees: zhoxing-ms
Labels: `bug`, `Service Attention`, `question`, `AKS`, `ARM`, `Managed Identity`, `needs-team-attention`, `Auto-Assign`, `Azure CLI Team`
Milestone: Backlog
navba-MSFT commented 1 year ago

Adding Service team to look into this.

bebound commented 1 year ago

Duplicate of https://github.com/Azure/azure-cli/issues/13573.

You need to install a Linux CLI package instead of calling windows one. see https://github.com/Azure/azure-cli/issues/13573#issuecomment-888791313

RamyaElangovanP commented 8 months ago

Can this be assigned to AKS team. Looks like the issue URL is obtained from AKS