Managed Identity for Azure VM, App Service, Service Fabric, etc.

[rayluo]

Note: This is a proof-of-concept, which means there is no guarantee that this behavior will be eventually included into MSAL Python.

There are two new APIs added.

• The high level API works for your confidential client which federated with a managed identity. This will be moved into a separated PR for its own consideration.

   import msal
   cca = msal.ConfidentialClientApplication(
       "my_client_id",
       client_credential=msal.SystemAssignedManagedIdentity(),  # Or it can be an msal.UserAssignedManagedIdentity(client_id="guid")
       ...)
   result = cca.acquire_token_for_client(scopes["scope1", "scope2"])  # It uses scopes

• The low level API acquires token for managed identity

  import msal, requests
  mi = msal.ManagedIdentityClient(
      msal.SystemAssignedManagedIdentity(),  # Or it can be an msal.UserAssignedManagedIdentity(client_id="guid")
      http_client=requests.Session(),  # This is a required parameter
      token_cache=msal.TokenCache(),  # Optional. In your production code, you shall persist a SerializableTokenCache https://msal-python.readthedocs.io/en/latest/#msal.SerializableTokenCache
  )
  result = mi.acquire_token_for_client(resource="resource_abc")  # It uses resource

More details of the new APIs are available here.

• In order to test this PR on Azure VM, you would need to:

  1. Create and then ssh into your Azure VM
  2. Install this proof-of-concept by pip install --force-reinstall "git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@mi"
  3. Write your script using the calling pattern above.

• To test this on App Service

  1. Create your App Service with Python runtime
  2. SSH into your App Service
  3. Follow the last two steps of Azure VM test method

• To test this on Azure Functions

  1. We have not yet tested it end-to-end, but the Managed Identity in Azure Function is expected to be the same as App Service.

• To test this on Azure Automation (we have not tested this)

  1. Create your Automation account
  2. You will need to install msal package. But it seems Azure Automation only supports installing a package with its dependencies from PyPI. This PR is not currently available from PyPI, so, we are unable to test this.
  3. After step 2, you can create a new Python runbook and test the Managed Identity

• To test this on Service Fabric

  1. We have not yet tested this end-to-end, but you can reference to the
     test steps in Azure SDK

Note:

• At the end of this internal document, there are brief descriptions for the 6 variations of MIs.
• Cloud Shell's IMDS is NOT part of this PR, because we already provide a higher level API for it in https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/420.

Once merged, this PR will resolve #548. Also, it will officially close #487 as the callback is no longer needed.

[jiasli]

Cloud Shell is just one type of managed identity. Perhaps we should follow the same interface for Cloud Shell?

[jiasli]

Congratulations on MSAL's support for managed identity. I am sure our customers will benefit from this great new feature! 🎉

[yonzhan]

[heart] Yong Zhang reacted to your message:

…

________________________________ From: Jiashuo Li ***@***.***> Sent: Monday, June 24, 2024 12:09:02 PM To: AzureAD/microsoft-authentication-library-for-python ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [AzureAD/microsoft-authentication-library-for-python] Managed Identity for Azure VM, App Service, Service Fabric, etc. (PR #480) Congratulations on MSAL's support for managed identity. I am sure our customers will benefit from this great new feature! 🎉 — Reply to this email directly, view it on GitHub<#480 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AM4LM2CVUJ2OZR5RHJFHZBDZJAD55AVCNFSM5XVXKEA2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJYGY2DENRSHE4Q>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>