"parameter 'identityResourceID' cannot be empty" when using default MSI

[adrianwyatt]

Logging in with type "MSI" (i.e. -l msi) later fails with parameter 'identityResourceID' cannot be empty. These commands are being run on an Azure VMSS with a system-assigned identity.

Repro commands:

1. az login --identity
2. az account set -s {subscription}
3. sudo az aks get-credentials --resource-group {resourceGroup} --name {clusterName} --overwrite-existing
4. sudo kubelogin convert-kubeconfig -l msi
5. sudo kubectl get nodes

At this point we are seeing this error consistently when using any kubectl commands that access the cluster.

Error: failed to get token: failed to create service principal from managed identity  for token refresh: parameter 'identityResourceID' cannot be empty

[adrianwyatt]

Perhaps the check of p.identityResourceID == "" here is improper? That would make it fall through to NewServicePrincipalTokenFromMSIWithIdentityResourceID.

if p.clientID == "" {
		if p.identityResourceID == "" {
			// no identity specified, use whatever IMDS default to
			spt, err = adal.NewServicePrincipalTokenFromMSI(
				msiEndpoint,
				p.resourceID,
				callback)
			if err != nil {
				return emptyToken, fmt.Errorf("failed to create service principal from managed identity for token refresh: %s", err)
			}
		}

[haitch]

can you paste the kubeconfig? you can trim off the sensitive part

[haitch]

@adrianwyatt @weinong can we close this issue?

[adrianwyatt]

Looks good to me - thank you. Sent from my phone.

…

________________________________ From: Haitao Chen <notifications@github.com> Sent: Monday, November 9, 2020 1:41:26 PM To: Azure/kubelogin <kubelogin@noreply.github.com> Cc: Adrian Bonar <Adrian.Bonar@microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [Azure/kubelogin] "parameter 'identityResourceID' cannot be empty" when using default MSI (#41) @adrianwyatt<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadrianwyatt&data=04%7C01%7CAdrian.Bonar%40microsoft.com%7C2a11d8fa530443fa1f1e08d884f83620%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637405548879896336%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lOzO%2BcGdQMd46s98eenVIabn2KpCR3XWoUa1PmCdTS8%3D&reserved=0> @weinong<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fweinong&data=04%7C01%7CAdrian.Bonar%40microsoft.com%7C2a11d8fa530443fa1f1e08d884f83620%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637405548879906331%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pKVwwWLqRC6b7ayFWT1RZ3K5QGTQSm246t4bne7A1Rw%3D&reserved=0> can we close this issue? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fkubelogin%2Fissues%2F41%23issuecomment-724294973&data=04%7C01%7CAdrian.Bonar%40microsoft.com%7C2a11d8fa530443fa1f1e08d884f83620%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637405548879911330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JwY49AVCfGbcEFTDUFCE5%2F1OCLBISj%2BlMKNfr84rG2U%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANONW5AMBTNFBYRNKJKIWRDSPBOYNANCNFSM4TIDL6WQ&data=04%7C01%7CAdrian.Bonar%40microsoft.com%7C2a11d8fa530443fa1f1e08d884f83620%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637405548879916327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kzF8MWW943lrlfBBtzTFthIeWgb1pZ9JxCUPVS8MSGU%3D&reserved=0>.