Managed Identity Service Connection Not Supported in All Agent Runtime Environments #328
Description
The following code in azure-arm-common.ts:357-361 is dated and too prescriptive, resulting in a failure to leverage Managed Identity in Azure Container Apps hosting my Azure Pipelines agents:
let apiVersion = "2018-02-01";
webRequest.uri = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=" + apiVersion + "&resource=" + resourceId;
webRequest.headers = {
"Metadata": true
};The current code results in the following debug output after two minutes from a pipeline using the AzureWebApp@1 task.
2024-06-16T10:07:46.2198904Z Got service connection details for Azure App Service:'[redacted]'
2024-06-16T10:07:46.2199146Z ##[debug]MSAL - getMSALToken called. force=undefined
2024-06-16T10:07:46.2199319Z ##[debug]agent.proxyurl=undefined
2024-06-16T10:07:46.2199492Z ##[debug]agent.proxybypasslist=undefined
2024-06-16T10:07:46.2199705Z ##[debug][Sun, 16 Jun 2024 10:07:43 GMT] : @azure/[email protected] : Info - acquireTokenByClientCredential called
2024-06-16T10:07:46.2199986Z ##[debug][Sun, 16 Jun 2024 10:07:44 GMT] : [a3cbad3d-90fb-452e-bac8-76e65feb7c77] : @azure/[email protected] : Info - Using appTokenProvider extensibility.
2024-06-16T10:07:46.2200221Z ##[debug]MSAL - ManagedIdentity is used.
2024-06-16T10:07:46.2200389Z ##[debug]CLIENT_RESETSTREAMONRETRY=undefined
2024-06-16T10:07:46.2200610Z ##[debug][GET]http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
2024-06-16T10:07:46.7059248Z ##[debug]Agent environment resources - Disk: / Available 10771.00 MB out of 20064.00 MB, Memory: Used 1434.00 MB out of 2667.00 MB, CPU: Usage 13.57%
2024-06-16T10:07:51.7054738Z ##[debug]Agent environment resources - Disk: / Available 10774.00 MB out of 20064.00 MB, Memory: Used 1448.00 MB out of 2667.00 MB, CPU: Usage 12.94%
2024-06-16T10:07:56.7060122Z ##[debug]Agent environment resources - Disk: / Available 10774.00 MB out of 20064.00 MB, Memory: Used 1451.00 MB out of 2667.00 MB, CPU: Usage 11.26%
...
2024-06-16T10:09:53.9885966Z ##[debug]Encountered a retriable error:ETIMEDOUT. Message: connect ETIMEDOUT 169.254.169.254:80.
As an example, the following is the constructed URL for obtaining MSI tokens based on the runtime environment of one replica of my agents.
http://localhost:42356/msi/token?api-version=2019-08-01&resource=https://management.azure.com
See an image capture from an example bash console session below:
I would suggest a backwards-compatible rewrite of the code to the following to leverage a more recent MSI API:
const useMsi2019 = process.env.IDENTITY_ENDPOINT && process.env.IDENTITY_HEADER;
const apiVersion = useMsi2019 ? "2019-08-01" : "2018-02-01";
const tokenEndpoint = useMsi2019 ? process.env.IDENTITY_ENDPOINT : "http://169.254.169.254/metadata/identity/oauth2/token";
webRequest.uri = `${tokenEndpoint}?api-version=${apiVersion}&resource=${resourceId}`;
webRequest.headers = {
"Metadata": true
};
if (useMsi2019) {
webRequest.headers["X-Identity-Header"] = process.env.IDENTITY_HEADER;
}If this repository is accepting contributions, please tag me if desired and I'll submit a pull request with this information.