Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Audience https://containerregistry.azure.net is not a supported MSI token audience #484

Open
tkishel opened this issue Sep 6, 2024 · 1 comment
Open

[BUG] Audience https://containerregistry.azure.net is not a supported MSI token audience #484

tkishel opened this issue Sep 6, 2024 · 1 comment
Labels
bug Something isn't working Priority 2

Comments

@tkishel
Copy link

tkishel commented Sep 6, 2024

To Reproduce

Using the Azure Python SDK, this succeeds locally, but fails in CloudShell:

from azure.mgmt.containerregistry import ContainerRegistryManagementClient

azure_credential  = DefaultAzureCredential()
azure_base_url = AZURE_PUBLIC_CLOUD.endpoints.resource_manager
azure_credential_scopes = [AZURE_PUBLIC_CLOUD.endpoints.resource_manager + '.default']
        
registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Observed Behavior

CloudShellCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported Message: Audience https://containerregistry.azure.net is not a supported MSI token audience. ManagedIdentityCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported

Message: Audience https://containerregistry.azure.net is not a supported MSI token audience.

Assuming because the SDK eventually calls:

curl http://localhost:50342/oauth2/token --data "resource=https://containerregistry.azure.net/" -H Metadata:true -s

{"error":{"code":"AudienceNotSupported","message":"Audience https://containerregistry.azure.net/ is not a supported MSI token audience."}}

Expected behavior

These methods should succeed in CloudShell as well as locally:

registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Is this specific to Cloud Shell?

Yes, the same code succeeds locally.

Interface information

Accessing Cloud Shell via https://portal.azure.com
Chrome Version 128.0.6613.120 (Official Build) (arm64) OSK

Additional context

Similar to: #109
@tkishel tkishel added bug Something isn't working Triage-needed Triage needed by Cloud Shell team labels Sep 6, 2024
@tkishel tkishel changed the title [BUG] [BUG] Audience https://containerregistry.azure.net is not a supported MSI token audience Sep 6, 2024
@mbifeld
Copy link
Member

mbifeld commented Sep 10, 2024

Looks like Cloud Shell is missing the specific MSI token needed here. Will be looking at designs that cover this and other MSI token issues. Thank you for reporting this bug,

@mbifeld mbifeld added Priority 2 and removed Triage-needed Triage needed by Cloud Shell team labels Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Priority 2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tkishel @mbifeld