Managed Identity for Azure VM, App Service, Service Fabric, etc.

[rayluo]

Note: This is a proof-of-concept, which means there is no guarantee that this behavior will be eventually included into MSAL Python.

There are two new APIs added.

• ~The high level API works for your confidential client which federated with a managed identity.~ This will be moved into a separated PR for its own consideration.

  import msal
  cca = msal.ConfidentialClientApplication(
     "my_client_id",
     client_credential=msal.SystemAssignedManagedIdentity(),  # Or it can be an msal.UserAssignedManagedIdentity(client_id="guid")
     ...)
  result = cca.acquire_token_for_client(scopes["scope1", "scope2"])  # It uses scopes

• The low level API acquires token for managed identity

  import msal, requests
  mi = msal.ManagedIdentityClient(
     msal.SystemAssignedManagedIdentity(),  # Or it can be an msal.UserAssignedManagedIdentity(client_id="guid")
     http_client=requests.Session(),  # This is a required parameter
     token_cache=msal.TokenCache(),  # Optional. In your production code, you shall persist a SerializableTokenCache https://msal-python.readthedocs.io/en/latest/#msal.SerializableTokenCache
  )
  result = mi.acquire_token_for_client(resource="resource_abc")  # It uses resource

More details of the new APIs are available here.

• In order to test this PR on Azure VM, you would need to:

  1. Create and then ssh into your Azure VM
  2. Install this proof-of-concept by pip install --force-reinstall "git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@mi"
  3. Write your script using the calling pattern above.

• To test this on App Service

  1. Create your App Service with Python runtime
  2. SSH into your App Service
  3. Follow the last two steps of Azure VM test method

• To test this on Azure Functions

  1. We have not yet tested it end-to-end, but the Managed Identity in Azure Function is expected to be the same as App Service.

• To test this on Azure Automation (we have not tested this)

  1. Create your Automation account
  2. You will need to install msal package. But it seems Azure Automation only supports installing a package with its dependencies from PyPI. This PR is not currently available from PyPI, so, we are unable to test this.
  3. After step 2, you can create a new Python runbook and test the Managed Identity

• To test this on Service Fabric

  1. We have not yet tested this end-to-end, but you can reference to the test steps in Azure SDK

Note:

• At the end of this internal document, there are brief descriptions for the 6 variations of MIs.
• Cloud Shell's IMDS is NOT part of this PR, because we already provide a higher level API for it in https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/420.

Once merged, this PR will resolve #548. Also, it will officially close #487 as the callback is no longer needed.

[jiasli]

Cloud Shell is just one type of managed identity. Perhaps we should follow the same interface for Cloud Shell?

[bgavrilMS]

@rayluo - is this the "public preview" branch? Does MSI support include all 5 sources such as CloudShell and Azure ARC?

[bgavrilMS]

Do we have any feedback from Azure SDK / other customers? Is it ok to close on this?

[rayluo]

@rayluo - is this the "public preview" branch? Does MSI support include all 5 sources such as CloudShell and Azure ARC?

Yes.

Do we have any feedback from Azure SDK / other customers? Is it ok to close on this?

No feedback yet. There seems to be no partner in urgent need of this. We will keep an eye on this, while we are actively working on SLC.

[vmarcella]

@rayluo Are there any updates on when this will move out of public preview and into the official MSAL package?

[rayluo]

@rayluo Are there any updates on when this will move out of public preview and into the official MSAL package?

We are getting close. Some of our partner teams are testing it, as we speak. At least one needed improvement on Arc is identified.

You can also test/use it, and report your findings. @vmarcella

[AlmogBentz]

Hello @rayluo , it's been a long time do I understand correctly that this will push the ability to get creds from managed identity with MSAL? if so is there a timeline?

[bgavrilMS]

Hello @rayluo , it's been a long time do I understand correctly that this will push the ability to get creds from managed identity with MSAL? if so is there a timeline?

We aim to GA this by end of March @AlmogBentz, but it depends on testing etc. etc.

Note that Azure SDK (including the Python version) fully supports Managed Identity - https://learn.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python

[bgavrilMS]

@rayluo - for the higher level API bear in mind that:

• the api://tokenExchage magic string is different on other clouds :(
• we should get some consistency in all MSALs

I recommend you split the higher level API from the lower level one.

[arsdragonfly]

Is there an ETA for a new release with this feature?

[rayluo]

Is there an ETA for a new release with this feature?

@arsdragonfly , priorities may change, so we don't provide an ETA. You may go ahead to use this PR's feature branch as a preview (pip install --force-reinstall "git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@mi"); and subscribe/watch this repo to receive its release notifications.

[jiasli]

Congratulations on MSAL's support for managed identity. I am sure our customers will benefit from this great new feature! 🎉

[yonzhan]

[heart] Yong Zhang reacted to your message:

---

From: Jiashuo Li @.> Sent: Monday, June 24, 2024 12:09:02 PM To: AzureAD/microsoft-authentication-library-for-python @.> Cc: Subscribed @.***> Subject: Re: [AzureAD/microsoft-authentication-library-for-python] Managed Identity for Azure VM, App Service, Service Fabric, etc. (PR #480)

Congratulations on MSAL's support for managed identity. I am sure our customers will benefit from this great new feature! 🎉

— Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-authentication-library-for-python/pull/480#issuecomment-2186426299, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AM4LM2CVUJ2OZR5RHJFHZBDZJAD55AVCNFSM5XVXKEA2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJYGY2DENRSHE4Q. You are receiving this because you are subscribed to this thread.Message ID: @.***>