microsoft-identity-web
microsoft-identity-web copied to clipboard
AzureAD
MI doesn't work for environments that don't have a shell
Microsoft.Identity.Web Library
Microsoft.Identity.Web.Certificate
Microsoft.Identity.Web version
latest
Web app
Not Applicable
Web API
Not Applicable
Token cache serialization
Not Applicable
Description
See here: https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.Certificate/KeyVaultCertificateLoader.cs#L49-L53
Azure.Identity will fault if it cannot open a shell, distroless containers will not have a shell so they are guaranteed to fault.
There are options here: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredentialoptions?view=azure-dotnet
That allow excluding flows from the authentication chain.
The ability to supply my own or modify the options should work.
Reproduction steps
Use MI on a container build from a distroless image.
Error message
AzureCliCredential authentication failed: An error occurred trying to start process '/bin/sh' with working directory '/bin/'. No such file or directory
Id Web logs
No response
Relevant code snippets
NA
Regression
No response
Expected behavior
Able to use MI in distroless containers.
You need to set the environment variable AZURE_EXCLUDE_AZURE_CLI_CREDENTIAL to true
This will prevent the DefaultAzureCredential from using the Azure CLI credential provider. You can also use other environment variables to exclude other credential types, such as AZURE_EXCLUDE_INTERACTIVE_BROWSER_CREDENTIAL, or VS, VS Code, etc ..
Thanks for the response, @jmprieur .
I've tried setting that environment variable in our helm chart. I can see this set on the environment variables list, but same failure occurs:
- name: AZURE_EXCLUDE_AZURE_CLI_CREDENTIAL
value: 'true'
Can you confirm this is the right Environment Variable to set, please? Thanks!
