New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Azure resource with multiple managed identities #4791

Open
CBaud opened this Issue Sep 24, 2018 · 6 comments

Comments

Projects
None yet
5 participants
@CBaud
Copy link

CBaud commented Sep 24, 2018

When the AppAuthentication library requests a token using the Azure Instance Metadata Service (IMDS) endpoint, it currently does not specify any values for the optional object_id or client_id query string parameters. In order for applications to request a token on a VM with multiple user-assigned managed identities, exactly one of those two parameters needs to be specified. It would be great for the AppAuthentication library to provide a way for applications to specify:

  • A Guid representing the identity.
  • An enumerated value that identifies whether the previous value is a Client ID or an Object ID.
@nonik0

This comment has been minimized.

Copy link
Contributor

nonik0 commented Nov 2, 2018

Hi Chris, we will have this functionality in the next release of AppAuth that we are working on releasing now. We will also update our existing samples that will show how to use this new functionality shortly after.

@nonik0

This comment has been minimized.

Copy link
Contributor

nonik0 commented Nov 19, 2018

Hi Chris, we have released AppAuth 1.2.0-preview, which contains the support for user-assigned identities. You can find the new release here.

As for how to use multiple managed identities, we have published minor updates for the following AppAuth VM samples that include instructions for how to specific a managed identity:
https://github.com/Azure-Samples/linuxvm-msi-keyvault-arm-dotnet
https://github.com/Azure-Samples/windowsvm-msi-arm-dotnet

Let us know if you have any feedback, thanks!

@gilknyaz

This comment has been minimized.

Copy link

gilknyaz commented Dec 25, 2018

Hello,
I see in AzureServiceTokenProviderFactory that the tenantID is not used when using the client ID (AppID in the connection string).
However, it is still required and throws an exception if not provided.
Is this by design, or can it be changed?

@varunsh-msft

This comment has been minimized.

Copy link
Member

varunsh-msft commented Dec 26, 2018

Hi @gilknyaz, what connection string did you use?

@gilknyaz

This comment has been minimized.

Copy link

gilknyaz commented Dec 27, 2018

Initially I just tried "AppId=" + clientID, but got an error about missing RunAs.
Ok, makes sense. Tried "RunAs=App;AppId=" + clientID.
Got a missing TenantID error. Only "TenantId=123;RunAs=App;AppId=" + clientID worked.

I inspected the code of AzureServiceTokenProviderFactory, and I see that TenantID isn't actually used for this flow, so I can really place anything I want there.

@varunsh-msft

This comment has been minimized.

Copy link
Member

varunsh-msft commented Dec 27, 2018

Ok, this looks like a bug. Tenant id is not required for user assigned MSI. We will get it fixed soon. Thanks for reporting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment