search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.91k stars 2.87k forks source link

Authentication with user managed identity fails / hardcoded APIPA ip-address #29047

Open amazingdragi opened 1 month ago

amazingdragi commented 1 month ago

Describe the bug

I am trying to authenticate with an user managed identity and then subsequently upload some files to an Azure Storage account. However, the login fails due to hardcoded APIPA IP-addresses in the request, it can be seen in the error message

Related command

az login --identity --username $userID --debug

Errors

cli.azure.cli.core.azclierror: MSI endpoint is not responding. Please make sure MSI is configured correctly. Error detail: MSI: Failed to acquire tokens after 12 times az_command_data_logger: MSI endpoint is not responding. Please make sure MSI is configured correctly. Error detail: MSI: Failed to acquire tokens after 12 times cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x000002344B066160>]

Issue script & Debug output

msrestazure.azure_active_directory: MSI: wait: 0.1s and retry: 1 urllib3.connectionpool: Starting new HTTP connection (1): localhost:8888 urllib3.connectionpool: http://localhost:8888 "GET http://**_169.254.169.254_**/metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01&msi_res_id=%2Fsubscriptions%2FSubscriptionID%2Fresourcegroups%2FRG-123%2Fproviders%2FMicrosoft.ManagedIdentity%2FuserAssignedIdentities%2FManagedID HTTP/1.1" 504 None msrestazure.azure_activedirectory: MSI: Retrieving a token from http:/**/169.254.169.254_**/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01', 'msi_res_id': '/subscriptions/SubscriptionID/resourcegroups/RG-123/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ManagedID'}

Expected behavior

Login succesful with an auth token as output

Environment Summary

azure-cli 2.55.0

core 2.55.0 telemetry 1.1.0

Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\Bxxxxxx.azure\cliextensions'

Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:38:34) [MSC v.1936 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Unable to check if your CLI is up-to-date. Check your internet connection.

Additional context

The same issue applies to azcopy login --identity

azure-client-tools-bot-prd[bot] commented 1 month ago

Hi @amazingdragi,

2.55.0 is not the latest Azure CLI(2.61.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 1 month ago

Thank you for opening this issue, we will look into it.

jiasli commented 1 month ago

Which type of resource (VM, App Service, Azure Functions, ...) is this user assigned managed identity assigned to? It is possible this is a unsupported resource. See https://github.com/Azure/azure-cli/issues/25860