Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MI doesn't work for environments that don't have a shell #2647

Closed
keegan-caruso opened this issue Jan 22, 2024 · 7 comments · Fixed by #2823 or #2824
Closed

MI doesn't work for environments that don't have a shell #2647

keegan-caruso opened this issue Jan 22, 2024 · 7 comments · Fixed by #2823 or #2824
Assignees
@keegan-caruso
Labels
feature request
Milestone
2.18.2

Comments

@keegan-caruso
Copy link
Contributor

Microsoft.Identity.Web Library

Microsoft.Identity.Web.Certificate

Microsoft.Identity.Web version

latest

Web app

Not Applicable

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

See here: https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.Certificate/KeyVaultCertificateLoader.cs#L49-L53

Azure.Identity will fault if it cannot open a shell, distroless containers will not have a shell so they are guaranteed to fault.

There are options here: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredentialoptions?view=azure-dotnet

That allow excluding flows from the authentication chain.

The ability to supply my own or modify the options should work.

Reproduction steps

Use MI on a container build from a distroless image.

Error message

AzureCliCredential authentication failed: An error occurred trying to start process '/bin/sh' with working directory '/bin/'. No such file or directory

Id Web logs

No response

Relevant code snippets

NA

Regression

No response

Expected behavior

Able to use MI in distroless containers.
@jmprieur
Copy link
Collaborator

You need to set the environment variable AZURE_EXCLUDE_AZURE_CLI_CREDENTIAL to true

This will prevent the DefaultAzureCredential from using the Azure CLI credential provider. You can also use other environment variables to exclude other credential types, such as AZURE_EXCLUDE_INTERACTIVE_BROWSER_CREDENTIAL, or VS, VS Code, etc ..

@jmprieur jmprieur added question Further information is requested answered and removed untriaged needs attention labels Jan 22, 2024
@joerattazzi-microsoft
Copy link

Thanks for the response, @jmprieur .

I've tried setting that environment variable in our helm chart. I can see this set on the environment variables list, but same failure occurs:

 - name: AZURE_EXCLUDE_AZURE_CLI_CREDENTIAL
   value: 'true'

Can you confirm this is the right Environment Variable to set, please? Thanks!

@keegan-caruso keegan-caruso added untriaged needs attention and removed question Further information is requested answered labels Feb 20, 2024
@joerattazzi-microsoft
Copy link

@jmprieur - any chance you can weigh in on this?

@joerattazzi-microsoft
Copy link

@jmprieur - bump

@jmprieur
Copy link
Collaborator

I think this was fixed in the latest version.
Do you mind to check?

@jmprieur
Copy link
Collaborator

@keegan-caruso. I believe this is done?

@keegan-caruso
Copy link
Contributor Author

Working through previews with a partner. Not on main yet.

This was referenced May 6, 2024
Merged
Merged
@jennyf19 jennyf19 added this to the 2.18.2 milestone May 6, 2024
@keegan-caruso keegan-caruso linked a pull request May 7, 2024 that will close this issue
Provide an env var to disable interactive auth for KeyVaultCertificateLoader #2824
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@keegan-caruso keegan-caruso

Labels
feature request
Projects
None yet
Milestone
2.18.2
4 participants
@jmprieur @jennyf19 @keegan-caruso @joerattazzi-microsoft