Issue with Managed Identity on Azure Container App: requests.exceptions.HTTPError: 405 Client Error: Method Not Allowed for url: http://localhost:42356/msi/token

[kabal2010]

Related command
az login --identity --debug

Describe the bug
Executing the above command from Azure Container App yields the error below

cli.knack.cli: Command arguments: ['login', '--identity', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fed4c163310>, <function OutputProducer.on_global_arguments at 0x7fed4c077d30>, <function CLIQuery.on_global_arguments at 0x7fed4c00e310>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.001         2         9
cli.azure.cli.core: Total (1)                 0.001         2         9
cli.azure.cli.core: Loaded 2 groups, 9 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fed4b215430>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/root/.azure/commands/2023-04-21.11-32-57.login.1197.log'.
az_command_data_logger: command args: login --identity --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7fed4b1c3040>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7fed4b1e81f0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7fed4b175f70>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fed4c077dc0>, <function CLIQuery.handle_query_parameter at 0x7fed4c00e3a0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7fed4b175ee0>]
urllib3.connectionpool: Starting new HTTP connection (1): localhost:42356
urllib3.connectionpool: http://localhost:42356 "POST /msi/token HTTP/1.1" 405 0
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:42356/msi/token, with payload {'resource': 'https://management.core.windows.net/'}
msrestazure.azure_active_directory: MSI: Failed to retrieve a token from 'http://localhost:42356/msi/token' with an error of '405 Client Error: Method Not Allowed for url: http://localhost:42356/msi/token'. This could be caused by the MSI extension not yet fully provisioned.
cli.azure.cli.core.auth.adal_authentication: throw requests.exceptions.HTTPError when doing MSIAuthentication: 
Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
    super().set_token()
  File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
    self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
  File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
    result.raise_for_status()
  File "/usr/lib64/az/lib/python3.9/site-packages/requests/models.py", line 953, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 405 Client Error: Method Not Allowed for url: http://localhost:42356/msi/token

cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
    super().set_token()
  File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
    self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
  File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
    result.raise_for_status()
  File "/usr/lib64/az/lib/python3.9/site-packages/requests/models.py", line 953, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 405 Client Error: Method Not Allowed for url: http://localhost:42356/msi/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 87, in set_token
    .format(err.response.status, err.response.reason))
AttributeError: 'Response' object has no attribute 'status'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/profile/custom.py", line 122, in login
    return profile.login_with_managed_identity(username, allow_no_subscriptions)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/_profile.py", line 234, in login_with_managed_identity
    msi_creds = MSIAuthenticationWrapper(resource=resource)
  File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 592, in __init__
    self.set_token()
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 89, in set_token
    raise AzureResponseError('Failed to connect to MSI. Please make sure MSI is configured correctly.\n'
azure.cli.core.azclierror.AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [405]>

cli.azure.cli.core.azclierror: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [405]>
az_command_data_logger: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [405]>

To Reproduce

• Create an Azure Container App with managed identity assigned
• Execute the command az login --identity --debug

Expected behavior
Authentication should work successfully to Azure

Environment summary

azure-cli                         2.47.0
core                              2.47.0
telemetry                          1.0.8

Dependencies:
msal                              1.20.0
azure-mgmt-resource               22.0.0

Python location '/usr/bin/python3.9'
Extensions directory '/root/.azure/cliextensions'
Python (Linux) 3.9.14 (main, Jan  9 2023, 00:00:00) 
[GCC 11.3.1 20220421 (Red Hat 11.3.1-2)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context
None

[yonzhan]

Thank you for opening this issue, we will look into it.

[kabal2010]

Can I please ask if there has been any update on this?

[jiasli]

Duplicate of #22677