az login --identity bad request to MSI #30416
Description
Describe the bug
I'm in the mcr.microsoft.com/azure-cli:2.63.0 container within an Azure VM with system managed identity set.
Within it I run az login --identity --debug, got this error and could not login.
Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
Azure CLI 2.63.0 is the last version available on Alpine and will not receive updates. Consider migrating to the Azure Linux based image for Azure CLI. For more information: https://go.microsoft.com/fwlink/?linkid=228220
Related command
az login --identity --debug
Errors
Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
Azure CLI 2.63.0 is the last version available on Alpine and will not receive updates. Consider migrating to the Azure Linux based image for Azure CLI. For more information: https://go.microsoft.com/fwlink/?linkid=228220
Issue script & Debug output
cli.knack.cli: Command arguments: ['login', '--identity', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f6a54043060>, <function OutputProducer.on_global_arguments at 0x7f6a53f3e7a0>, <function CLIQuery.on_global_arguments at 0x7f6a53ce02c0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.020 2 8
cli.azure.cli.core: Total (1) 0.020 2 8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f6a52ed4e00>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/root/.azure/commands/2024-11-26.08-06-22.login.47.log'.
az_command_data_logger: command args: login --identity --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f6a52eeeb60>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f6a52ca1440>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f6a52ca1580>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f6a53f3e840>, <function CLIQuery.handle_query_parameter at 0x7f6a53ce0360>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f6a52ca14e0>]
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 400 68
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
cli.azure.cli.core.auth.adal_authentication: throw requests.exceptions.HTTPError when doing MSIAuthentication:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/usr/local/lib/python3.11/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
token_entry = self._vm_msi.get_token(self.resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
token_entry = self._retrieve_token_from_imds_with_retry(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/usr/local/lib/python3.11/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
token_entry = self._vm_msi.get_token(self.resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
token_entry = self._retrieve_token_from_imds_with_retry(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 664, in execute
raise ex
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 701, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 334, in __call__
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/azure/cli/command_modules/profile/custom.py", line 141, in login
return profile.login_with_managed_identity(username, allow_no_subscriptions)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/_profile.py", line 257, in login_with_managed_identity
msi_creds = MSIAuthenticationWrapper(resource=resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/msrestazure/azure_active_directory.py", line 592, in __init__
self.set_token()
File "/usr/local/lib/python3.11/site-packages/azure/cli/core/auth/adal_authentication.py", line 85, in set_token
raise AzureResponseError('Failed to connect to MSI. Please make sure MSI is configured correctly.\n'
azure.cli.core.azclierror.AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
cli.azure.cli.core.azclierror: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
az_command_data_logger: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f6a52ed5080>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 2.968 seconds (init: 1.148, invoke: 1.820)
cli.__main__: Azure CLI 2.63.0 is the last version available on Alpine and will not receive updates. Consider migrating to the Azure Linux based image for Azure CLI. For more information: https://go.microsoft.com/fwlink/?linkid=2282203
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3580 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/local/bin/python /usr/local/lib/python3.11/site-packages/azure/cli/telemetry/__init__.py /root/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
Should be able to log in.
Environment Summary
azure-cli 2.63.0 *
core 2.63.0 *
telemetry 1.1.0
Dependencies:
msal 1.30.0
azure-mgmt-resource 23.1.1
Python location '/usr/local/bin/python'
Extensions directory '/root/.azure/cliextensions'
Python (Linux) 3.11.9 (main, Aug 2 2024, 14:46:25) [GCC 13.2.1 20240309]
Additional context
I'm in the mcr.microsoft.com/azure-cli:2.63.0 container within an Azure VM with managed identity set.