Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Azure resource with multiple managed identities #4791

Closed
CBaud opened this issue Sep 24, 2018 · 8 comments
Closed

Add support for Azure resource with multiple managed identities #4791

CBaud opened this issue Sep 24, 2018 · 8 comments
Assignees

Comments

@CBaud
Copy link

@CBaud CBaud commented Sep 24, 2018

When the AppAuthentication library requests a token using the Azure Instance Metadata Service (IMDS) endpoint, it currently does not specify any values for the optional object_id or client_id query string parameters. In order for applications to request a token on a VM with multiple user-assigned managed identities, exactly one of those two parameters needs to be specified. It would be great for the AppAuthentication library to provide a way for applications to specify:

  • A Guid representing the identity.
  • An enumerated value that identifies whether the previous value is a Client ID or an Object ID.
@nonik0
Copy link
Contributor

@nonik0 nonik0 commented Nov 2, 2018

Hi Chris, we will have this functionality in the next release of AppAuth that we are working on releasing now. We will also update our existing samples that will show how to use this new functionality shortly after.

@nonik0
Copy link
Contributor

@nonik0 nonik0 commented Nov 19, 2018

Hi Chris, we have released AppAuth 1.2.0-preview, which contains the support for user-assigned identities. You can find the new release here.

As for how to use multiple managed identities, we have published minor updates for the following AppAuth VM samples that include instructions for how to specific a managed identity:
https://github.com/Azure-Samples/linuxvm-msi-keyvault-arm-dotnet
https://github.com/Azure-Samples/windowsvm-msi-arm-dotnet

Let us know if you have any feedback, thanks!

@gilknyaz
Copy link

@gilknyaz gilknyaz commented Dec 25, 2018

Hello,
I see in AzureServiceTokenProviderFactory that the tenantID is not used when using the client ID (AppID in the connection string).
However, it is still required and throws an exception if not provided.
Is this by design, or can it be changed?

@varunsh-msft
Copy link
Member

@varunsh-msft varunsh-msft commented Dec 26, 2018

Hi @gilknyaz, what connection string did you use?

@gilknyaz
Copy link

@gilknyaz gilknyaz commented Dec 27, 2018

Initially I just tried "AppId=" + clientID, but got an error about missing RunAs.
Ok, makes sense. Tried "RunAs=App;AppId=" + clientID.
Got a missing TenantID error. Only "TenantId=123;RunAs=App;AppId=" + clientID worked.

I inspected the code of AzureServiceTokenProviderFactory, and I see that TenantID isn't actually used for this flow, so I can really place anything I want there.

@varunsh-msft
Copy link
Member

@varunsh-msft varunsh-msft commented Dec 27, 2018

Ok, this looks like a bug. Tenant id is not required for user assigned MSI. We will get it fixed soon. Thanks for reporting!

@varunsh-msft
Copy link
Member

@varunsh-msft varunsh-msft commented Apr 1, 2019

Tenant Id is not required anymore, as of preview2. @shahabhijeet , can you please close this issue? Thanks!

@varunsh-msft
Copy link
Member

@varunsh-msft varunsh-msft commented Apr 6, 2019

Closing, this is done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants