CloudShell icon indicating copy to clipboard operation
CloudShell copied to clipboard
verified publisher icon Azure

[BUG] Audience https://containerregistry.azure.net is not a supported MSI token audience

Open tkishel opened this issue 1 year ago • 1 comments

To Reproduce

Using the Azure Python SDK, this succeeds locally, but fails in CloudShell:

from azure.mgmt.containerregistry import ContainerRegistryManagementClient

azure_credential  = DefaultAzureCredential()
azure_base_url = AZURE_PUBLIC_CLOUD.endpoints.resource_manager
azure_credential_scopes = [AZURE_PUBLIC_CLOUD.endpoints.resource_manager + '.default']
        
registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Observed Behavior

CloudShellCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported Message: Audience https://containerregistry.azure.net is not a supported MSI token audience. ManagedIdentityCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported

Message: Audience https://containerregistry.azure.net is not a supported MSI token audience.

Assuming because the SDK eventually calls:

curl http://localhost:50342/oauth2/token --data "resource=https://containerregistry.azure.net/" -H Metadata:true -s

{"error":{"code":"AudienceNotSupported","message":"Audience https://containerregistry.azure.net/ is not a supported MSI token audience."}}

Expected behavior

These methods should succeed in CloudShell as well as locally:

registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Is this specific to Cloud Shell?

Yes, the same code succeeds locally.

Interface information

Accessing Cloud Shell via https://portal.azure.com Chrome Version 128.0.6613.120 (Official Build) (arm64) OSK

Additional context

Similar to: https://github.com/Azure/CloudShell/issues/109

tkishel avatar Sep 06 '24 21:09 tkishel

Looks like Cloud Shell is missing the specific MSI token needed here. Will be looking at designs that cover this and other MSI token issues. Thank you for reporting this bug,

mbifeld avatar Sep 10 '24 18:09 mbifeld