[Resolved in 1.32.3] [Bug] Azure Arc authentication does not work with MSAL 1.32.1 & 1.32.2 #814
Description
Describe the bug
azure-identity with MSAL 1.32.1+ no longer is able to authenticate for machines that are using Azure Arc.
To Reproduce
Steps to reproduce the behavior:
- On an Azure Arc enrolled machine try to obtain a token using
ManagedIdentityCredential:
from azure.identity import ManagedIdentityCredential
mi_credential = ManagedIdentityCredential()
print(mi_credential.get_token("api://AzureADTokenExchange/.default").token)Expected behavior
A token string. With MSAL 1.32.0 this works.
What you see instead
With MSAL 1.32.1, the following:
ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
Traceback (most recent call last):
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/azure/identity/_credentials/imds.py", line 99, in _request_token
token_info = super()._request_token(*scopes)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/azure/identity/_internal/msal_managed_identity_client.py", line 52, in _request_token
result = self._msal_client.acquire_token_for_client(resource=resource)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/msal/managed_identity.py", line 312, in acquire_token_for_client
result = _obtain_token(self._http_client, self._managed_identity, resource)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/msal/managed_identity.py", line 430, in _obtain_token
return _obtain_token_on_arc(http_client, arc_endpoint, resource)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/msal/managed_identity.py", line 618, in _obtain_token_on_arc
raise ManagedIdentityError(
msal.managed_identity.ManagedIdentityError: Unrecognizable WWW-Authenticate header: {}
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/jakobbotsch/test.py", line 7, in <module>
print(mi_credential.get_token("api://AzureADTokenExchange/.default").token)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/azure/identity/_internal/decorators.py", line 23, in wrapper
token = fn(*args, **kwargs)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/azure/identity/_credentials/managed_identity.py", line 160, in get_token
return cast(TokenCredential, self._credential).get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/azure/identity/_internal/msal_managed_identity_client.py", line 122, in get_token
token_info = self._get_token_base(*scopes, options=options, base_method_name="get_token", **kwargs)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/azure/identity/_internal/msal_managed_identity_client.py", line 163, in _get_token_base
token = self._request_token(*scopes, claims=claims, tenant_id=tenant_id, enable_cae=enable_cae, **kwargs)
File "/home/jakobbotsch/.local/lib/python3.10/site-packages/azure/identity/_credentials/imds.py", line 125, in _request_token
raise CredentialUnavailableError(error_message) from ex
azure.identity._exceptions.CredentialUnavailableError: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.The MSAL Python version you are using
Paste the output of this
python -c "import msal; print(msal.__version__)"
When it works: 1.32.0
When it fails: 1.32.2
For testing I am switching between these versions using
python3 -m pip install --upgrade msal==1.32.0
python3 -m pip install --upgrade msal==1.32.2
Additional context
Contact me internally and I can provide SSH access to a test machine that is Arc enrolled.