CloudShell icon indicating copy to clipboard operation
CloudShell copied to clipboard

Published 20 hours ago verified publisher icon Azure

[BUG] Audience https://containerregistry.azure.net is not a supported MSI token audience

Open tkishel opened this issue 5 months ago • 1 comments

To Reproduce

Using the Azure Python SDK, this succeeds locally, but fails in CloudShell:

from azure.mgmt.containerregistry import ContainerRegistryManagementClient

azure_credential  = DefaultAzureCredential()
azure_base_url = AZURE_PUBLIC_CLOUD.endpoints.resource_manager
azure_credential_scopes = [AZURE_PUBLIC_CLOUD.endpoints.resource_manager + '.default']
        
registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Observed Behavior

CloudShellCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported Message: Audience https://containerregistry.azure.net is not a supported MSI token audience. ManagedIdentityCredential.get_token failed: (AudienceNotSupported) Audience https://containerregistry.azure.net is not a supported MSI token audience. Code: AudienceNotSupported

Message: Audience https://containerregistry.azure.net is not a supported MSI token audience.

Assuming because the SDK eventually calls:

curl http://localhost:50342/oauth2/token --data "resource=https://containerregistry.azure.net/" -H Metadata:true -s

{"error":{"code":"AudienceNotSupported","message":"Audience https://containerregistry.azure.net/ is not a supported MSI token audience."}}

Expected behavior

These methods should succeed in CloudShell as well as locally:

registry_management_client = ContainerRegistryManagementClient(azure_credential, subscription_id, base_url=azure_base_url, credential_scopes=azure_credential_scopes)

registries = registry_management_client.registries.list()

Is this specific to Cloud Shell?

Yes, the same code succeeds locally.

Interface information

Accessing Cloud Shell via https://portal.azure.com Chrome Version 128.0.6613.120 (Official Build) (arm64) OSK

Additional context

Similar to: https://github.com/Azure/CloudShell/issues/109

tkishel avatar Sep 06 '24 21:09 tkishel