navyasric
commented
4 years ago Currently the MSI support is in scope of Azure SDKs. Closing this for now.
Closed rayluo closed 4 months ago
navyasric
commented
4 years ago Currently the MSI support is in scope of Azure SDKs. Closing this for now.
jiasli
commented
3 years ago As Azure CLI developer, another scenario I would like to bring out is VM SSH which requires getting a certificate through the data argument.
Azure Identity has explicitly dropped data (by removing kwargs) for user identities (https://github.com/Azure/azure-sdk-for-python/pull/16397). In order to implement VM SSH, Azure CLI has to
This of course introduces unnecessary duplication, as Azure CLI will have to work dual-stack-ly. If Azure CLI can get a certificate from MSAL, why can't it use the same flow to get an access token from MSAL?
After careful consideration, Azure CLI dropped Azure Identity and directly uses MSAL. Even for managed identity, Azure CLI will not use Azure Identity given there will be no data support in the future. (The Azure Identity for managed identity migration on beta has been reverted.)
The current libraries Azure CLI beta uses are
As msrestazure as been deprecated as well, Azure CLI must move away from msrestazure. Possible solutions:
Per How to use managed identities for Azure resources on an Azure VM to acquire an access token
GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01
&resource=https://management.azure.com/' HTTP/1.1 Metadata: truemanaged identity's endpoint has some limitations:
resource which is an ADAL concept. MSAL now uses scopes. If there will be no changes on managed identity and MSAL whats to support it, MSAL must bring back the old resource interface.data support. We are not sure what the future design would be to support getting a certificate for VM SSH.Reference email: VM SSH with managed identity
jiasli
commented
2 years ago By the way, the name "MSI" has been deprecated:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).
bh7cw
commented
2 years ago @jiasli From what you posted about Managed Identity:
managed identity's endpoint has some limitations:
It still only accepts resource which is an ADAL concept. MSAL now uses scopes. If there will be no changes on managed identity and MSAL whats to support it, MSAL must bring back the old resource interface. There is no data support. We are not sure what the future design would be to support getting a certificate for VM SSH.
Are you implying that managed identity is using ADAL? Are there any updates since ADAL is migrating into MSAL and ADAL will be deprecated on June 30, 2022?
rayluo
commented
2 years ago Are you implying that managed identity is using ADAL?
Actually, they are independent with each other. It was just that Managed Identity protocol and ADAL design happened to be created in around the same era therefore shared some concepts.
Are there any updates since ADAL is migrating into MSAL and ADAL will be deprecated on June 30, 2022?
Neither ADAL Python nor MSAL Python supports Managed Identity. This issue remains open so that we can keep track of this feature requirement for MSAL Python.
bgavrilMS
commented
1 year ago @rayluo - is this not done?
Some resources below:
resourceparameter, and the outputexpires_inis in string (rather than integer). There is a pending workitem to support AADv2.