search

microsoft / azure-pipelines-tasks-common-packages

MIT License
23 stars 35 forks source link

Managed Identity Service Connection Not Supported in All Agent Runtime Environments #328

Open lsuarez5280 opened 4 weeks ago

lsuarez5280 commented 4 weeks ago

The following code in azure-arm-common.ts:357-361 is dated and too prescriptive, resulting in a failure to leverage Managed Identity in Azure Container Apps hosting my Azure Pipelines agents:

let apiVersion = "2018-02-01";
webRequest.uri = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=" + apiVersion + "&resource=" + resourceId;
webRequest.headers = {
    "Metadata": true
};

The current code results in the following debug output after two minutes from a pipeline using the AzureWebApp@1 task.

2024-06-16T10:07:46.2198904Z Got service connection details for Azure App Service:'[redacted]'
2024-06-16T10:07:46.2199146Z ##[debug]MSAL - getMSALToken called. force=undefined
2024-06-16T10:07:46.2199319Z ##[debug]agent.proxyurl=undefined
2024-06-16T10:07:46.2199492Z ##[debug]agent.proxybypasslist=undefined
2024-06-16T10:07:46.2199705Z ##[debug][Sun, 16 Jun 2024 10:07:43 GMT] : @azure/msal-node@1.14.5 : Info - acquireTokenByClientCredential called
2024-06-16T10:07:46.2199986Z ##[debug][Sun, 16 Jun 2024 10:07:44 GMT] : [a3cbad3d-90fb-452e-bac8-76e65feb7c77] : @azure/msal-common@9.1.1 : Info - Using appTokenProvider extensibility.
2024-06-16T10:07:46.2200221Z ##[debug]MSAL - ManagedIdentity is used.
2024-06-16T10:07:46.2200389Z ##[debug]CLIENT_RESETSTREAMONRETRY=undefined
2024-06-16T10:07:46.2200610Z ##[debug][GET]http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
2024-06-16T10:07:46.7059248Z ##[debug]Agent environment resources - Disk: / Available 10771.00 MB out of 20064.00 MB, Memory: Used 1434.00 MB out of 2667.00 MB, CPU: Usage 13.57%
2024-06-16T10:07:51.7054738Z ##[debug]Agent environment resources - Disk: / Available 10774.00 MB out of 20064.00 MB, Memory: Used 1448.00 MB out of 2667.00 MB, CPU: Usage 12.94%
2024-06-16T10:07:56.7060122Z ##[debug]Agent environment resources - Disk: / Available 10774.00 MB out of 20064.00 MB, Memory: Used 1451.00 MB out of 2667.00 MB, CPU: Usage 11.26%
...
2024-06-16T10:09:53.9885966Z ##[debug]Encountered a retriable error:ETIMEDOUT. Message: connect ETIMEDOUT 169.254.169.254:80.

As an example, the following is the constructed URL for obtaining MSI tokens based on the runtime environment of one replica of my agents.

http://localhost:42356/msi/token?api-version=2019-08-01&resource=https://management.azure.com

See an image capture from an example bash console session below:

image

I would suggest a backwards-compatible rewrite of the code to the following to leverage a more recent MSI API:

const useMsi2019 = process.env.IDENTITY_ENDPOINT && process.env.IDENTITY_HEADER;
const apiVersion = useMsi2019 ? "2019-08-01" : "2018-02-01";
const tokenEndpoint = useMsi2019 ? process.env.IDENTITY_ENDPOINT : "http://169.254.169.254/metadata/identity/oauth2/token";
webRequest.uri = `${tokenEndpoint}?api-version=${apiVersion}&resource=${resourceId}`;

webRequest.headers = {
    "Metadata": true
};

if (useMsi2019) {
    webRequest.headers["X-Identity-Header"] = process.env.IDENTITY_HEADER;
}

If this repository is accepting contributions, please tag me if desired and I'll submit a pull request with this information.

lsuarez5280 commented 1 week ago

Could someone on the team clarify whether this issue and its pull request will be considered? The current radio silence doesn't give me any expectation as to whether monitoring this report is worth my effort. I've been keeping the pull request in sync with the latest from main for two and a half weeks now.

If the report and fix will be considered or there are any requests for modified code or test cases (aside from merging what I hope is a pending build fix for failures on main), I'm happy to be patient about it or submit additional commits, but please at least let me know what to expect.

While I debated internally if I should do this, I'm tagging you all in the hopes anyone at all actively contributing here will have some feedback: @manolerazvan @embetten @cormacpayne @DenisNikulin5 @LeftTwixWand @starkmsu @ismayilov-ismayil @DmitriiBobreshev @kirill-ivlev @DergachevE @onetocny @aleksandrlevochkin @vmapetr

ataverascrespo commented 1 day ago

@lsuarez5280 Unfortunately it doesn't seem like many external PRs get approved or even looked at in this repo. Been doing the same for my own PR since beginning of April

lsuarez5280 commented 1 day ago

Thanks @ataverascrespo. Quite a way to run an open source protect...