Way to access identity endpoint doesn't match running instance behavior - Githubissues

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure

https://docs.microsoft.com/azure

Creative Commons Attribution 4.0 International

10.01k stars 21k forks source link

Way to access identity endpoint doesn't match running instance behavior #122273

Closed dario-ms closed 1 week ago

dario-ms commented 1 week ago

Container app with a managed identity exposes the identity endpoint by defining two environment variables:

IDENTITY_ENDPOINT - local URL from which your container app can request tokens. IDENTITY_HEADER - a header used to help mitigate server-side request forgery (SSRF) attacks. The value is rotated by the platform.

But the IDENTITY_ENDPOINT variable is not present inside the container:

printenv | grep IDENTI
IDENTITY_API_VERSION=2020-05-01
IDENTITY_SERVER_THUMBPRINT=a6f221acd...6b3e2
IDENTITY_HEADER=xxxxxx

Also, looks like the auth endpoint that works is the regular metadata endpoint:

curl -H "Metadata: true" 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/'
{"access_token":"xxxxxxxxxxxxxx"}

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ID: 1bae7356-5237-f004-16e8-3f89b1dfeac6
Version Independent ID: 841a9a04-8bc8-8bfd-a57d-f57945829a66
Content: Managed identities in Azure Container Apps
Content Source: articles/container-apps/managed-identity.md
Service: container-apps
GitHub Login: @v-jaswel
Microsoft Alias: v-wellsjason

dario-ms commented 1 week ago

Miss opened the issue on container apps instead of container instance.