Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weird difference with user assigned managed identity between windows and linux VMs #35645

Closed
lovettchris opened this issue May 15, 2024 · 8 comments
Closed

Weird difference with user assigned managed identity between windows and linux VMs #35645

lovettchris opened this issue May 15, 2024 · 8 comments
Assignees
@xiangyan99
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed The Azure SDK team member assisting with this issue believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team.

Comments

@lovettchris
Copy link

  • Package Name: azure.identity, zure.storage.blob
  • Package Version: see below
  • Operating System: Windows and Ubuntu
  • Python Version: 3.10

azure-core 1.30.1
azure-data-tables 12.5.0
azure-identity 1.16.0
azure-keyvault-keys 4.9.0
azure-keyvault-secrets 4.8.0
azure-storage-blob 12.20.0

Describe the bug

I have setup some vm's to use a user assigned managed identity which I have then given the appropriate access to on my azure storage account. The following then code works on windows VM:

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
account_url = "https://srexperiments.blob.core.windows.net/"
credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(account_url,credential=credential)
container_client = blob_service_client.get_container_client(container="setup")
for blob in container_client.list_blobs():
    print(blob.name)

On an Ubuntu Linux machine setup the same way, the above code fails with ErrorCode:AuthorizationPermissionMismatch

But the following code works on both:

from azure.identity import ManagedIdentityCredential
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
account_url = "https://srexperiments.blob.core.windows.net/"
credential = ManagedIdentityCredential(client_id="499fe662-662e-47b6-a9b0-4a186151268e")
blob_service_client = BlobServiceClient(account_url,credential=credential)
container_client = blob_service_client.get_container_client(container="setup")
for blob in container_client.list_blobs():
    print(blob.name)

I'd prefer to be able to use DefaultAzureCredential as this is much easier to maintain across devbox/azure VMs. Anyone know why it is not working on my Linux VM ?

To Reproduce
Steps to reproduce the behavior:

  1. see above.

Expected behavior
The DefaultAzureCredential should work on both Windows and Linux.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

The debug logging output on Windows is:

Request URL: 'https://srexperiments.blob.core.windows.net/setup?restype=container&comp=list'
Request method: 'GET'
Request headers:
    'x-ms-version': '2023-11-03'
    'Accept': 'application/xml'
    'User-Agent': 'azsdk-python-storage-blob/12.19.1 Python/3.10.14 (Windows-10-10.0.20348-SP0)'
    'x-ms-date': 'Wed, 15 May 2024 19:20:33 GMT'
    'x-ms-client-request-id': '33177d05-12f0-11ef-a7a2-000d3a91034b'
    'Authorization': '*****'
Request body:
Hidden body, please use logging_body to show body
Response status: 200
Response headers:
    'Transfer-Encoding': 'chunked'
    'Content-Type': 'application/xml'
    'Server': 'Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0'
    'x-ms-request-id': 'cb8629ce-f01e-0079-65fc-a681ee000000'
    'x-ms-client-request-id': '33177d05-12f0-11ef-a7a2-000d3a91034b'
    'x-ms-version': '2023-11-03'
    'Date': 'Wed, 15 May 2024 19:20:33 GMT'
Response content:
...

while the debug logging output on Linux is:

Request URL: 'https://srexperiments.blob.core.windows.net/setup?restype=container&comp=list'
Request method: 'GET'
Request headers:
    'x-ms-version': '2024-05-04'
    'Accept': 'application/xml'
    'User-Agent': 'azsdk-python-storage-blob/12.20.0 Python/3.10.13 (Linux-6.2.0-1016-azure-x86_64-with-glibc2.35)'
    'x-ms-date': 'Wed, 15 May 2024 19:23:10 GMT'
    'x-ms-client-request-id': '90e2af0c-12f0-11ef-9171-000d3a9391f1'
    'Authorization': '*****'
Request body:
Hidden body, please use logging_body to show body
Response status: 403
Response headers:
    'Content-Length': '279'
    'Content-Type': 'application/xml'
    'Server': 'Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0'
    'x-ms-request-id': '94413837-001e-001f-0dfd-a6cece000000'
    'x-ms-client-request-id': '90e2af0c-12f0-11ef-9171-000d3a9391f1'
    'x-ms-version': '2024-05-04'
    'x-ms-error-code': 'AuthorizationPermissionMismatch'
    'Date': 'Wed, 15 May 2024 19:23:10 GMT'
Response content:
Traceback (most recent call last):
  File "/home/smartreplayuser/test/default.py", line 22, in <module>
    for blob in container_client.list_blobs():
  File "/home/smartreplayuser/miniconda3/envs/sr/lib/python3.10/site-packages/azure/core/paging.py", line 123, in __next__
    return next(self._page_iterator)
  File "/home/smartreplayuser/miniconda3/envs/sr/lib/python3.10/site-packages/azure/core/paging.py", line 75, in __next__
    self._response = self._get_next(self.continuation_token)
  File "/home/smartreplayuser/miniconda3/envs/sr/lib/python3.10/site-packages/azure/storage/blob/_list_blobs_helper.py", line 100, in _get_next_cb
    process_storage_error(error)
  File "/home/smartreplayuser/miniconda3/envs/sr/lib/python3.10/site-packages/azure/storage/blob/_shared/response_handlers.py", line 182, in process_storage_error
    exec("raise error from None")   # pylint: disable=exec-used # nosec
  File "<string>", line 1, in <module>
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.
RequestId:94413837-001e-001f-0dfd-a6cece000000
Time:2024-05-15T19:23:10.9086777Z
ErrorCode:AuthorizationPermissionMismatch
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operatio
n using this permission.
RequestId:94413837-001e-001f-0dfd-a6cece000000
Time:2024-05-15T19:23:10.9086777Z</Message></Error>
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files) labels May 15, 2024
@github-actions GitHub Actions
Copy link

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jalauzon-msft @vincenttran-msft.

@xiangyan99 xiangyan99 self-assigned this May 16, 2024
@xiangyan99 xiangyan99 added Azure.Identity and removed Storage Storage Service (Queues, Blobs, Files) labels May 16, 2024
@xiangyan99
Copy link
Member

Thanks for reaching out.

Could you try same code on windows using managed identity?

My guess is

  1. Your user assigned managed identity does not have the right permission. &
  2. Your DefaultAzureCredential ended up with using credentials other than ManagedIdentityCredential and the used one had the permission.

@xiangyan99 xiangyan99 added the needs-author-feedback More information is needed from author to address the issue. label May 16, 2024
@github-actions GitHub Actions
Copy link

Hi @lovettchris. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@github-actions github-actions bot removed the needs-team-attention This issue needs attention from Azure service team or SDK team label May 16, 2024
@lovettchris
Copy link
Author

lovettchris commented May 16, 2024
edited

Could you try same code on windows using managed identity?

Ok, I tried again on my Windows VM creating the VM from scratch and it appears this VM really does also need to use ManagedIdentityCredential(client_id="499fe662-662e-47b6-a9b0-4a186151268e")

So this is the official answer then, to use user assigned managed identity one must use ManagedIdentityCredential(client_id="499fe662-662e-47b6-a9b0-4a186151268e") and not DefaultAzureCredential() ?

Would be nice if the docs said this clearly. Any idea why DefaultAzureCredential() doesn't work, and is there a way to make it work?

Would also be nice if there was an easy az command line to fetch this client id (since it is not the object_id). The only way I could find it was to add the managed identity to my azure devops project then I could see the id there.

@github-actions github-actions bot added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. labels May 16, 2024
@xiangyan99
Copy link
Member

The difference is you need client id information to make ManagedIdentity work.

I asked you to try ManagedIdentity directly rather than DefaultAzureCredential just to narrow down the issue.

You can use DefaultAzureCredential(), but you need to provide the client_id like

DefaultAzureCredential(client_id="499fe662-662e-47b6-a9b0-4a186151268e"). :)

@xiangyan99 xiangyan99 added the issue-addressed The Azure SDK team member assisting with this issue believes it to be addressed and ready to close. label May 17, 2024
@github-actions GitHub Actions
Copy link

Hi @lovettchris. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

@github-actions github-actions bot removed the needs-team-attention This issue needs attention from Azure service team or SDK team label May 17, 2024
@lovettchris
Copy link
Author

Thanks just one remaining question, how can I automate the lookup of the user assigned managed identity client id "499fe662-662e-47b6-a9b0-4a186151268e" using an az command line?

@lovettchris
Copy link
Author

Never mind, I found it,

az identity show --name smartreplayvm --resource-group GCRIaaSLoanT4p2

This has the clientId in it, nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xiangyan99 xiangyan99

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed The Azure SDK team member assisting with this issue believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team.
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xiangyan99 @lovettchris