microsoft-authentication-library-for-python icon indicating copy to clipboard operation
microsoft-authentication-library-for-python copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Managed Identity for Azure VM, App Service, Service Fabric, etc.

Open rayluo opened this issue 2 years ago • 11 comments

Note: This is a proof-of-concept, which means there is no guarantee that this behavior will be eventually included into MSAL Python.

There are two new APIs added.

  • ~The high level API works for your confidential client which federated with a managed identity.~ This will be moved into a separated PR for its own consideration.

     import msal
 cca = msal.ConfidentialClientApplication(
     "my_client_id",
     client_credential=msal.SystemAssignedManagedIdentity(),  # Or it can be an msal.UserAssignedManagedIdentity(client_id="guid")
     ...)
 result = cca.acquire_token_for_client(scopes["scope1", "scope2"])  # It uses scopes

  • The low level API acquires token for managed identity

    import msal, requests
mi = msal.ManagedIdentityClient(
    msal.SystemAssignedManagedIdentity(),  # Or it can be an msal.UserAssignedManagedIdentity(client_id="guid")
    http_client=requests.Session(),  # This is a required parameter
    token_cache=msal.TokenCache(),  # Optional. In your production code, you shall persist a SerializableTokenCache https://msal-python.readthedocs.io/en/latest/#msal.SerializableTokenCache
)
result = mi.acquire_token_for_client(resource="resource_abc")  # It uses resource

More details of the new APIs are available here.

  • In order to test this PR on Azure VM, you would need to:

    1. Create and then ssh into your Azure VM
    2. Install this proof-of-concept by pip install --force-reinstall "git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@mi"
    3. Write your script using the calling pattern above.

  • To test this on App Service

    1. Create your App Service with Python runtime
    2. SSH into your App Service
    3. Follow the last two steps of Azure VM test method

  • To test this on Azure Functions

    1. We have not yet tested it end-to-end, but the Managed Identity in Azure Function is expected to be the same as App Service.

  • To test this on Azure Automation (we have not tested this)

    1. Create your Automation account
    2. You will need to install msal package. But it seems Azure Automation only supports installing a package with its dependencies from PyPI. This PR is not currently available from PyPI, so, we are unable to test this.
    3. After step 2, you can create a new Python runbook and test the Managed Identity

  • To test this on Service Fabric

    1. We have not yet tested this end-to-end, but you can reference to the test steps in Azure SDK

Note:

  • At the end of this internal document, there are brief descriptions for the 6 variations of MIs.
  • Cloud Shell's IMDS is NOT part of this PR, because we already provide a higher level API for it in https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/420.

Once merged, this PR will resolve #548. Also, it will officially close #487 as the callback is no longer needed.

rayluo avatar Jun 02 '22 17:06 rayluo

Cloud Shell is just one type of managed identity. Perhaps we should follow the same interface for Cloud Shell?

jiasli avatar Mar 17 '23 06:03 jiasli

@rayluo - is this the "public preview" branch? Does MSI support include all 5 sources such as CloudShell and Azure ARC?

bgavrilMS avatar Oct 10 '23 10:10 bgavrilMS

Do we have any feedback from Azure SDK / other customers? Is it ok to close on this?

bgavrilMS avatar Oct 10 '23 10:10 bgavrilMS

@rayluo - is this the "public preview" branch? Does MSI support include all 5 sources such as CloudShell and Azure ARC?

Yes.

Do we have any feedback from Azure SDK / other customers? Is it ok to close on this?

No feedback yet. There seems to be no partner in urgent need of this. We will keep an eye on this, while we are actively working on SLC.

rayluo avatar Oct 18 '23 07:10 rayluo

@rayluo Are there any updates on when this will move out of public preview and into the official MSAL package?

vmarcella avatar Jan 30 '24 20:01 vmarcella

@rayluo Are there any updates on when this will move out of public preview and into the official MSAL package?

We are getting close. Some of our partner teams are testing it, as we speak. At least one needed improvement on Arc is identified.

You can also test/use it, and report your findings. @vmarcella

rayluo avatar Jan 30 '24 22:01 rayluo

Hello @rayluo , it's been a long time do I understand correctly that this will push the ability to get creds from managed identity with MSAL? if so is there a timeline?

AlmogBentz avatar Mar 04 '24 09:03 AlmogBentz

Hello @rayluo , it's been a long time do I understand correctly that this will push the ability to get creds from managed identity with MSAL? if so is there a timeline?

We aim to GA this by end of March @AlmogBentz, but it depends on testing etc. etc.

Note that Azure SDK (including the Python version) fully supports Managed Identity - https://learn.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python

bgavrilMS avatar Mar 04 '24 12:03 bgavrilMS

@rayluo - for the higher level API bear in mind that:

  • the api://tokenExchage magic string is different on other clouds :(
  • we should get some consistency in all MSALs

I recommend you split the higher level API from the lower level one.

bgavrilMS avatar Apr 09 '24 08:04 bgavrilMS

Is there an ETA for a new release with this feature?

arsdragonfly avatar Apr 17 '24 09:04 arsdragonfly

Is there an ETA for a new release with this feature?

@arsdragonfly , priorities may change, so we don't provide an ETA. You may go ahead to use this PR's feature branch as a preview (pip install --force-reinstall "git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@mi"); and subscribe/watch this repo to receive its release notifications.

rayluo avatar Apr 17 '24 21:04 rayluo