Open dante159753 opened 1 year ago
Thank you for opening this issue, we will look into it.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.
Author: | dante159753 |
---|---|
Assignees: | zhoxing-ms |
Labels: | `bug`, `Service Attention`, `question`, `AKS`, `ARM`, `Managed Identity`, `needs-team-attention`, `Auto-Assign`, `Azure CLI Team` |
Milestone: | Backlog |
Adding Service team to look into this.
Duplicate of https://github.com/Azure/azure-cli/issues/13573.
You need to install a Linux CLI package instead of calling windows one. see https://github.com/Azure/azure-cli/issues/13573#issuecomment-888791313
Can this be assigned to AKS team. Looks like the issue URL is obtained from AKS
Describe the bug
when create federated identity in wsl using az cli from windows, it insert invisible '\r' into OIDCUrl, makes the auth failed with 70021
Related command
Errors
Issue script & Debug output
$ az identity federated-credential create --name "${INFRA_UAI_FED_IMAGE_NAME}" --identity-name "${INFRA_UAI_NAME}" --resource-group "${INFRA_UAI_RG}" --issuer "${AKS_OIDC_ISSUER}" --subject "${IMAGE_ACCOUNT_SUBJECT}" --audience api://AzureADTokenExchange --debug cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'yztestfedid', '--identity-nam e', 'yz-image-mgmt07-uai', '--resource-group', 'yz-image-mgmt07-rg', '--issuer', 'https://eastus.oic.prod-aks.azure.com/7 2f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r', '--subject', 'system:serviceaccount:image-m gmt:image-mgmt-controller-manager', '--audience', 'api://AzureADTokenExchange', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x019CB460>, <fu nction OutputProducer.on_global_arguments at 0x01CFD6A0>, <function CLIQuery.on_global_arguments at 0x01D182F8>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: identity 0.008 2 11 cli.azure.cli.core: Total (1) 0.008 2 11 cli.azure.cli.core: Loaded 2 groups, 11 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : identity federated-credential create cli.azure.cli.core: Command table: identity federated-credential create cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03D CB460>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\wangya.azure\commands\2023-07-19 .19-45-56.identity_federated-credential_create.15236.log'. az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group {} --issuer {} --subject {} --audience {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subs
cription_parameter at 0x03E18898>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments
at 0x03E18A48>, <function register_cache_arguments..add_cache_arguments at 0x03E18AD8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01CFD6E8>, <fu
nction CLIQuery.handle_query_parameter at 0x01D18340>, <function register_ids_argument..parse_ids_arguments at 0x
03E18A90>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ManagedServiceIdentityClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\wangya\.azure\msal_token_cache.bin', encry
pt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\wangya.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db4
7/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_b
asic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'respon
se_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_v
alues_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes
_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1
-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.co
m/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth
2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db
47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint':
'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub',
'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat',
'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoin
t': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'clou
d_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.c
om', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.d
efault',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.def
ault',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 8507bda4-0bad-49f2-ad5a-af168137618c
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3
292f6/resourceGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/fe
deratedIdentityCredentials/yztestfedid?api-version=2023-01-31'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '266'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8d69a198-26a7-11ee-b394-00155d349f00'
cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --au
dience --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.50.0 azsdk-python-azure-mgmt-msi/7.0.0 Python/3.10.10 (Win
dows-10-10.0.19045-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab
-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controlle
r-manager", "audiences": ["api://AzureADTokenExchange"]}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourc
eGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdenti
tyCredentials/yztestfedid?api-version=2023-01-31 HTTP/1.1" 201 581
cli.azure.cli.core.sdk.policies: Response status: 201
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '581'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Location': '/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-i
mage-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredential
s/yztestfedid'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20230720T024558Z:9760f3cf-2e3e-426f-a8de-38992a6f
f858'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 20 Jul 2023 02:45:58 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt0
7-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfe
did","name":"yztestfedid","type":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials","propert
ies":{"issuer":"https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b
08af4d/\r","subject":"system:serviceaccount:image-mgmt:image-mgmt-controller-manager","audiences":["api://AzureADTokenExc
hange"]}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x03DF0C88>, <function _x5
09_from_base64_to_hex_transform at 0x03DF0CD0>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"audiences": [
"api://AzureADTokenExchange"
],
"id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
"name": "yztestfedid",
"resourceGroup": "yz-image-mgmt07-rg",
"subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
"systemData": null,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03DCB580>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.519 seconds (init: 0.688, invoke: 1.831)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3378 in cache
telemetry.check: Negative: The C:\Users\wangya.azure\telemetry.txt was modified at 2023-07-19 19:43:05.626410, which in
less than 600.000000 s
Expected behavior
do not insert \r into oidcUrl
Environment Summary
az --version azure-cli 2.50.0
core 2.50.0 telemetry 1.0.8
Dependencies: msal 1.22.0 azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\wangya.azure\cliextensions'
Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response