Rover fails to use MSI (Managed System Identity) when running in ACI (Azure Container Instance)

[Welasco]

Rover fails to use MSI (Managed System Identity) when running in ACI (Azure Container Instance) After enable MSI in a ACI rover is not able to authenticate. I tried in a Azure VM with MSI and it worked as expected.

The problem is related with this call at functions.sh (https://github.com/aztfmod/rover/blob/master/scripts/functions.sh) line 627.

computerName=$(az rest --method get --headers Metadata=true --url http://169.254.169.254/metadata/instance?api-version=2020-09-01 | jq -r .compute.name)

It's trying to call IMDS (Azure Instance Metadata Service) to retrieve the ACI name but it always fail with a 404 error. There reason might be related to the fact ACI runs on top of a K8s and IMDS is not capable to return the information like it does for a regular Azure VM.

This call was looking to the name of the ACI itself which is also exposed in a environment variable by ACI (K8s) platform:

I guess that one of those two variables could be used in a ACI environment instead of IMDS just to grab the name of the ACI.

Here is the functions.sh code I'm referring to:

[pmatthews05]

I'm also interested in this, currently working through using a Service Principal, but will be using MSI within pipelines.

I would also like to question should TF_VAR_logged_user_objectId actually be set with a MSI, surely it should be TF_VAR_logged_aad_app_objectId?

[LaurentLesle]

@Welasco you are correct this is running on top of k8s. I will update the example we used to get the system MSI working with the rover.

[arnaudlh]

@Welasco are you using ACI with public IP or a VNET - it feels very much like this: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity#limitations