Skip to content

az login --identity fails in AKS with aad-pod-identity #9537

Closed
Closed
az login --identity fails in AKS with aad-pod-identity#9537
Assignees
SaurabhSharma-MSFT
Labels
Accountaz login/accountService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.
@Bowbaq

Description

@Bowbaq
Bowbaq
opened on May 31, 2019

Describe the bug
az login --identity sometimes fails with a stacktrace when used in AKS in combination with aad-pod-identity

az login --identity
ERROR: The command failed with an unexpected error. Here is the traceback:

ERROR: 
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 560, in execute
    raise ex
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 618, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 611, in _run_job
    six.reraise(*sys.exc_info())
  File "/usr/local/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 588, in _run_job
    result = cmd_copy(params)
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 297, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 461, in default_command_handler
    return op(**command_args)
  File "/usr/local/lib/python3.6/site-packages/azure/cli/command_modules/profile/custom.py", line 111, in login
    return profile.find_subscriptions_in_vm_with_msi(username, allow_no_subscriptions)
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 318, in find_subscriptions_in_vm_with_msi
    msi_creds = MSIAuthentication(resource=resource)
  File "/usr/local/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 576, in __init__
    self.set_token()
  File "/usr/local/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 584, in set_token
    token_entry = self._vm_msi.get_token(self.resource)
  File "/usr/local/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 632, in get_token
    token_entry = self._retrieve_token_from_imds_with_retry(resource)
  File "/usr/local/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 669, in _retrieve_token_from_imds_with_retry
    raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError

To Reproduce

  • Setup an AKS cluster (we're on K8S 1.11.9) with aad-pod-identity (we use the helm chart)
  • Start a pod using the microsoft/azure-cli:latest docker image, with the proper labeling to assign a MSI on startup, and run az login --identity as the command

Expected behavior
az login --identity should always succeed on a node with a MSI attached. If the MSI is not yet attached due to lag in aad-pod-identity, azure-cli should exit cleanly with a non-zero exit code

Environment summary

  • microsoft/azure-cli:latest
  • bash

Additional context
May be related to Azure/aad-pod-identity#206

Metadata

Metadata

Assignees

Labels

Accountaz login/accountService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions