Skip to content

[Core] PREVIEW: Support managed identity on Azure Arc-enabled Windows server#29187

Merged
jiasli merged 1 commit intoAzure:devfrom
jiasli:mi-arc
Nov 6, 2024
Merged

[Core] PREVIEW: Support managed identity on Azure Arc-enabled Windows server#29187
jiasli merged 1 commit intoAzure:devfrom
jiasli:mi-arc

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Jun 17, 2024
edited
Loading

Related command
az login --identity

Description

This is only a temporary solution.

If Azure Arc is detected, Azure CLI uses MSAL for managed identity authentication. For other platforms, such as VM and App Service, the existing logic is preserved. These platforms' migration will be done in #25959.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jun 17, 2024
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dla
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️kusto
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jun 17, 2024

Hi @jiasli,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jun 17, 2024
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Jun 17, 2024
edited
Loading

Support managed identity on Azure Arc

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Jun 17, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Account az login/account Core CLI core infrastructure labels Jun 17, 2024
jiasli
jiasli commented Jun 17, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py Outdated
Comment on lines 920 to 965
def _on_azure_arc():
return "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ
Copy link
Member Author

@jiasli jiasli Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The detection condition is borrowed from MSAL: https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/480/files#diff-24c0727ff4626c6c535d05c13b61fa4b4a47d6fc4496ec0ceadc734191de19cbR367

However, as mentioned in AzureAD/microsoft-authentication-library-for-python#480 (comment), it is fragile.

@jiasli
Copy link
Member Author

jiasli commented Jun 17, 2024

As mentioned in MSAL: https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/480/files#diff-24c0727ff4626c6c535d05c13b61fa4b4a47d6fc4496ec0ceadc734191de19cbR367-R378

Azure Arc supports only system-assigned managed identity

@jiasli jiasli mentioned this pull request Jun 24, 2024
Merged
evelyn-ys
evelyn-ys previously approved these changes Jul 23, 2024
View reviewed changes
@jiasli jiasli mentioned this pull request Aug 1, 2024
Merged
jiasli
jiasli commented Aug 30, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py Outdated
Comment on lines 921 to 924
# Azure Arc
if "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ:
logger.debug("Azure Arc detected")
return True
Copy link
Member Author

@jiasli jiasli Aug 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These env vars may not be present on Linux servers, so MSAL introduced a new detection method: AzureAD/microsoft-authentication-library-for-python#731.

After a new MSAL is released, we should switch to _get_arc_endpoint.

Copy link
Member

@evelyn-ys evelyn-ys Oct 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we update to use _get_arc_endpoint now since new MSAL has been released for some time

Copy link
Member Author

@jiasli jiasli Oct 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

msal.managed_identity._get_arc_endpoint is a protected method. I have switched to msal.managed_identity.get_managed_identity_source.

@jiasli jiasli mentioned this pull request Sep 9, 2024
Merged
@richeney richeney mentioned this pull request Oct 29, 2024
Closed
@azure-pipelines
Copy link

azure-pipelines bot commented Oct 31, 2024

Azure Pipelines successfully started running 3 pipeline(s).

@jiasli jiasli marked this pull request as ready for review November 1, 2024 09:07
@jiasli jiasli changed the title [Core] PREVIEW: Support managed identity on Azure Arc [Core] PREVIEW: Support managed identity on Azure Arc-enabled Windows server Nov 4, 2024
@jiasli
Copy link
Member Author

jiasli commented Nov 5, 2024
edited
Loading

Use Azure VM's managed identity in local development

This method is inspired by https://msal-python.readthedocs.io/en/latest/#msal.ManagedIdentityClient

As Azure CLI still uses msrestazure, MSAL_MANAGED_IDENTITY_ENDPOINT won't work, so we need to change the request_uri in msrestazure.azure_active_directory._ImdsTokenProvider._retrieve_token_from_imds_with_retry to

        request_uri = 'http://localhost:8000/metadata/identity/oauth2/token'

Then create a port forwarding using the ssh command:

ssh -L 8000:169.254.169.254:80 azureuser@<vm_public_ip_address>

Now we can run some testing commands locally using the managed identity of the VM, without configuring Azure CLI's dev environment in the VM:

az login --identity
az group list
az account get-access-token

@jiasli jiasli merged commit d68ba44 into Azure:dev Nov 6, 2024
@jiasli jiasli deleted the mi-arc branch November 6, 2024 09:25
@jiasli jiasli mentioned this pull request Mar 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

@calvinhzy calvinhzy Awaiting requested review from calvinhzy

Assignees

@jiasli jiasli

Labels

Account az login/account Auto-Assign Auto assign by bot Core CLI core infrastructure

Projects

None yet

Milestone

November 2024 (2024-11-19)❗ Breaking ...

Development

Successfully merging this pull request may close these issues.

Support az login --identity for Azure Arc

4 participants

@jiasli @yonzhan @bebound @evelyn-ys