Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Core] PREVIEW: Support managed identity on Azure Arc-enabled Windows server #29187

Merged
merged 1 commit into from
Nov 6, 2024
Merged

[Core] PREVIEW: Support managed identity on Azure Arc-enabled Windows server #29187

merged 1 commit into from
Nov 6, 2024

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Jun 17, 2024
edited
Loading

Related command
az login --identity

Description

This is only a temporary solution.

If Azure Arc is detected, Azure CLI uses MSAL for managed identity authentication. For other platforms, such as VM and App Service, the existing logic is preserved. These platforms' migration will be done in #25959.

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jun 17, 2024
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dla
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️kusto
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Hi @jiasli,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jun 17, 2024
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Jun 17, 2024
edited
Loading

Support managed identity on Azure Arc

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Jun 17, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Account az login/account Core CLI core infrastructure labels Jun 17, 2024
jiasli
jiasli commented Jun 17, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py Outdated
Comment on lines 920 to 965
def _on_azure_arc():
return "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ
Copy link
Member Author

@jiasli jiasli Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The detection condition is borrowed from MSAL: https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/480/files#diff-24c0727ff4626c6c535d05c13b61fa4b4a47d6fc4496ec0ceadc734191de19cbR367

However, as mentioned in AzureAD/microsoft-authentication-library-for-python#480 (comment), it is fragile.

@jiasli
Copy link
Member Author

jiasli commented Jun 17, 2024

As mentioned in MSAL: https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/480/files#diff-24c0727ff4626c6c535d05c13b61fa4b4a47d6fc4496ec0ceadc734191de19cbR367-R378

Azure Arc supports only system-assigned managed identity

@jiasli jiasli mentioned this pull request Jun 24, 2024
Merged
evelyn-ys
evelyn-ys previously approved these changes Jul 23, 2024
View reviewed changes
@jiasli jiasli mentioned this pull request Aug 1, 2024
Merged
jiasli
jiasli commented Aug 30, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py Outdated
Comment on lines 921 to 924
# Azure Arc
if "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ:
logger.debug("Azure Arc detected")
return True
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These env vars may not be present on Linux servers, so MSAL introduced a new detection method: AzureAD/microsoft-authentication-library-for-python#731.

After a new MSAL is released, we should switch to _get_arc_endpoint.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we update to use _get_arc_endpoint now since new MSAL has been released for some time

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

msal.managed_identity._get_arc_endpoint is a protected method. I have switched to msal.managed_identity.get_managed_identity_source.

@jiasli jiasli mentioned this pull request Sep 9, 2024
Merged
@richeney richeney mentioned this pull request Oct 29, 2024
Closed
@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@jiasli jiasli marked this pull request as ready for review November 1, 2024 09:07
@jiasli jiasli changed the title [Core] PREVIEW: Support managed identity on Azure Arc [Core] PREVIEW: Support managed identity on Azure Arc-enabled Windows server Nov 4, 2024
@jiasli
Copy link
Member Author

jiasli commented Nov 5, 2024
edited
Loading

Use Azure VM's managed identity in local development

This method is inspired by https://msal-python.readthedocs.io/en/latest/#msal.ManagedIdentityClient

As Azure CLI still uses msrestazure, MSAL_MANAGED_IDENTITY_ENDPOINT won't work, so we need to change the request_uri in msrestazure.azure_active_directory._ImdsTokenProvider._retrieve_token_from_imds_with_retry to

        request_uri = 'http://localhost:8000/metadata/identity/oauth2/token'

Then create a port forwarding using the ssh command:

ssh -L 8000:169.254.169.254:80 azureuser@<vm_public_ip_address>

Now we can run some testing commands locally using the managed identity of the VM, without configuring Azure CLI's dev environment in the VM:

az login --identity
az group list
az account get-access-token

@jiasli jiasli merged commit d68ba44 into Azure:dev Nov 6, 2024
52 checks passed
@jiasli jiasli deleted the mi-arc branch November 6, 2024 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Core CLI core infrastructure
Projects
None yet
Milestone
November 2024 (2024-11-19)❗ Breaking ...
Development

Successfully merging this pull request may close these issues.

Support az login --identity for Azure Arc
4 participants
@jiasli @yonzhan @bebound @evelyn-ys