-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support az login --identity
for Azure Arc
#16573
Comments
az login |
@jimdigriz We definitely need this. In the meantime, do you have any bash code that generates a valid token object in ~/.azure/accessTokens.json using the REST API? |
Using a managed identity with Arc enabled servers is supported by Azure Identity in Azure/azure-sdk-for-python#15020. The commit Azure/azure-sdk-for-python@d32f4b3 is released in azure-cli/src/azure-cli-core/setup.py Line 54 in aa456a2
which doesn't have this feature. We will release a new version of Azure CLI beta using |
⚠ Manipulating
This approach will stop working immediately once you start using MSAL-based Azure CLI. |
@richeney Sorry no, I explored this and found the juice was not worth the squeeze; it quickly became apparently that tinkering with In the end I baked the logic into my application and moved on. Maybe you could slum it with shell wrapper for cURL that then goes and calls |
Any hope of seeing this anytime soon? Just stumble upon it and spent a while trying to understand why the environment variables where not overriding the 169.254* address. (until it occur to me to check on github) |
Due to a recent reorganization, we have to delay the development of Azure Identity and MSAL integration. The rough ETA is the end of this year (2021-12-31), but it is not guaranteed. Thanks for understanding. |
is this something that could be sped up by merge request / contributions from the community? |
We plan to hire more people to contribute to this big project:) |
Quite strange to leave out the support for MSI on CLI for hybrid scenarios when one of the core benefits on Arc is that the resource gets an Managed Identity... Is there any workaround for this ? |
@johlindr, here are some Bash commands for Linux that may help you. Needs jq installed and sudoers configured. imds=$(curl -sSL -H Metadata:true http://localhost:40342/metadata/instance?api-version=2020-06-01)
subscriptionId=$(jq -r .compute.subscriptionId <<< $imds)
resourceGroupName=$(jq -r .compute.resourceGroupName <<< $imds)
# Challenge token
challengeTokenPath=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com" | grep Www-Authenticate | cut -d "=" -f 2 | tr -d "[:cntrl:]")
challengeToken=$(sudo cat $challengeTokenPath)
# Resource token
token=$(curl -s -H Metadata:true -H "Authorization: Basic $challengeToken" "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com" | jq -r .access_token)
# Example ARM REST API call
curl -sSL -X GET -H "Authorization: Bearer $token" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/resources?api-version=2020-06-01 | jq . That last command will only work if the Managed Identity has an RBAC role assignment. Here is the command to get the ObjectId for the Managed Identity. objectId=$(az connectedmachine show --name vmname --resource-group rgname --query identity.principalId --output tsv) You can change the resource from management.azure.com to other resources / audiences to get tokens for other REST API endpoints, e.g. |
but am I able to use the CLI library functions using the access token manually retrieved for the MSI? We are using the "manual" approach aleady to perform certain tasks but need to onboard an Azure Arc Kubernetes cluster and not sure I wish to do that with direct API calls. |
I'm not going to say anything that isn't already said above:
REST API calls it is! |
@richeney's comment is correct. This is currently the only way to call Azure APIs from Azure Arc servers. You may also specify the access token in
While we will implement |
accidentally close it, reopen now |
Any update on this? |
any update on that feature? |
I've provided more information in #24150 to explain the current status. |
Azure Arc's managed identity will be supported by MSAL (AzureAD/microsoft-authentication-library-for-python#480) and Azure CLI will migrate its managed identity authentication to MSAL (#25959). After these tasks are done, Azure CLI will support Azure Arc's managed identity, but currently there is no ETA. |
Please, are there some updates ? I need authorize to azure from arc server. |
Hi |
Is your feature request related to a problem? Please describe.
For enrolled Azure Arc systems,
azure-cli
does not support pulling the local managed identity.Describe the solution you'd like
az login --identity
tests if running on an Azure instance and if not to fallback to using the localhost challenge response endpointhttp://localhost:40342
provided by/opt/azcmagent/bin/himds
.If azure-cli gets this functionality it means I can have my scripts call
az ...
directly and not have to treat Azure instances differently to on-premise kit; for example to access a shared keyvault or a workspace for logging and metrics.Describe alternatives you've considered
I have to do the REST dance myself and spoof some credentials for the azure-cli via
~/.azure/{accessTokens,azureProfile}.json
.The text was updated successfully, but these errors were encountered: