pulumi-azuread icon indicating copy to clipboard operation
pulumi-azuread copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Incorrect MSI API version when running inside azure function apps

Open pcc-damatj opened this issue 1 year ago • 1 comments

What happened?

I am trying to run pulumi from within an azure function application using managed identity.

The typical IMDS endpoint does not work for function apps which is normal for function apps

building client: unable to obtain access token: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: Get "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.microsoft.com": GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.microsoft.com giving up after 5 attempt(s):

Setting useMsi to process.env.MSI_ENDPOINT, gets me passed the initial error. It seems like this msiEndpoint has a different supported API version. It seems to want "2017-09-01": https://learn.microsoft.com/en-us/javascript/api/@azure/ms-rest-nodeauth/msiappservicetokencredentials?view=azure-node-latest#@azure-ms-rest-nodeauth-msiappservicetokencredentials-msiapiversion

        * building client: unable to obtain access token: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://169.254.129.6:8081/msi/token' does not support the API version '2018-02-01'.","innerError":null}}

Is there a way to configure apiVersion for this authentication calls? I cant find anything in the docs/codebase for this.

Example

    if (process.env.WEBSITE_SITE_NAME && process.env.WEBSITE_SITE_NAME !== "") {
        await stack.setConfig("azuread:useMsi", { value: "true" });
        await stack.setConfig("azuread:msiEndpoint", { value: process.env.MSI_ENDPOINT });
    } else {
        await stack.setConfig("azuread:clientId", { value: process.env.AZURE_CLIENT_ID });
        await stack.setConfig("azuread:clientSecret", { value: process.env.AZURE_CLIENT_SECRET });
        await stack.setConfig("azuread:tenantId", { value: process.env.AZURE_TENANT_ID });
    }
    await stack.preview({ onOutput: console.info, diff: true});

Output of pulumi about

CLI
Version 3.113.0 Go Version go1.22.2 Go Compiler gc

Plugins NAME VERSION nodejs unknown

Host
OS debian Version 11.9 Arch x86_64

This project is written in nodejs: executable='/usr/bin/node' version='v18.20.1'

Backend
Name a4c896056958 URL azblob://<REDACTED> User root Organizations
Token type personal

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

pcc-damatj avatar Apr 18 '24 16:04 pcc-damatj

Hi @pcc-damatj, unfortunately, we don't have a way to customize this API version currently. The issue exists in the third-party authentication library that we use, so it's not easy to fix for us. Terraform users have the same problem.

We are, however, planning to migrate to the newer, official azidentity for authentication soon, which does support App Service/Azure Functions, although they use API version "2019-08-01" for it.

thomas11 avatar Apr 19 '24 09:04 thomas11