azcopy login --identity fails on AzureML compute instances with user defined managed identity

[juergstaub]

Which version of the AzCopy was used?

10.16.2

Which platform are you using? (ex: Windows, Mac, Linux)

Linux

What command did you run?

azcopy login --identity

What problem was encountered?

azcopy login --identity returns the following error:

Failed to perform login command: failed to get token from msi, status code: 400

How can we reproduce the problem in the simplest way?

1. Create an Azure Machine Learning Workspace
2. Create a user-defined managed identity
3. Create a Linux Compute Instance in Machine Learning Studio and assign the managed identity
4. Once created, click on terminal
5. Type: azcopy login --identity

Have you found a mitigation/solution?

No

The same command works fine on normal Azure VMs with the same user-defined managed identity

[nakulkar-msft]

Hi @juergstaub, Have you tried using --identity-client-id/ --identity-object-id parameter? Also, we would recommend you to use Auto-login, instead of the login command.

[juergstaub]

Yes, I did try to use -identity-client-id with no success. I will try auto-login and comment.

[juergstaub]

I tried auto-login with AZCOPY_MSI_OBJECT_ID and AZCOPY_MSI_CLIENT_ID with no success; the error message for the command

azcopy list https://<mysta>.blob.core.windows.net

is:

INFO: Authenticating to source using Azure AD

failed to obtain credential info: no cached token found, please log in with azcopy's login command, required key not available

[nakulkar-msft]

Hi @juergstaub, have you set the environment variable AZCOPY_AUTO_LOGIN_TYPE? Also, please use the latest version.

[juergstaub]

$ printenv | grep AZCOPY
AZCOPY_MSI_CLIENT_ID=<MI_CLIENT_ID>
AZCOPY_AUTO_LOGIN_TYPE=MSI
$ azcopy --version
azcopy version 10.17.0
$ azcopy list https://<mysta>.blob.core.windows.net/

Failed to perform Auto-login: failed to get token from msi, status code: 400.

[janmolemans]

I have the same issue

[cramseyio]

I also have the same issue. I've tried following the instructions here: https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-authorize-azure-active-directory#authorize-by-using-a-user-assigned-managed-identity-1

Given these instructions, I've tried: setting AZCOPY_AUTO_LOGIN_TYPE=MSI along with each of AZCOPY_MSI_CLIENT_ID, AZCOPY_MSI_OBJECT_ID or AZCOPY_MSI_RESOURCE_STRING with the correct values.

All result in the same error:

Failed to perform login command: failed to get token from msi, status code: 400

[gauravshegokar]

Any updates on this? Has anyone been able to find a solution/workaround?

[krelente]

Try using the latest version 10.23.x and do the following:

• Make sure identity is enabled in your resource

$env:AZCOPY_AUTO_LOGIN_TYPE="MSI" $env:AZCOPY_MSI_CLIENT_ID="XXXXXX" (add this If you used a user-assigned managed identity, remove this. If not)

and do you azcopy action.

This works for me.

[gapra-msft]

Hi, all please upgrade to the latest AzCopy version and perform the steps suggested above.

[greadtm]

I am experiencing the same issue. I have a user assigned managed Identity. I am attempting to auto login with acopy to access a storage account. The MI is a storage account blob contributor. Installed version of azcopy is 10.24.0 I execute: $env:AZCOPY_AUTO_LOGIN_TYPE="MSI" $env:AZCOPY_MSI_CLIENT_ID="XXXXXX" where XXXXX is the clientID of the MI When I run azcopy list I get:

Failed to perform Auto-login: ManagedIdentityCredential authentication failed GET http://169.254.169.254/metadata/identity/oauth2/token

RESPONSE 400 Bad Request

{ "error": "invalid_request", "error_description": "Identity not found"

I also tried: azcopy login --identity --identity-client-id "ClientID" Same error

Any ideas on how to solve?