Skip to content

Support Managed Identity (formerly known as MSI) #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rayluo opened this issue Jun 11, 2019 · 6 comments · Fixed by #480
Closed

Support Managed Identity (formerly known as MSI) #58

rayluo opened this issue Jun 11, 2019 · 6 comments · Fixed by #480
Labels
enhancement feature request

Comments

@rayluo
Copy link
Collaborator

rayluo commented Jun 11, 2019
edited
Loading

Some resources below:
@navyasric
Copy link
Contributor

Currently the MSI support is in scope of Azure SDKs. Closing this for now.

@rayluo rayluo mentioned this issue Jul 14, 2020
Closed
@rayluo rayluo mentioned this issue Sep 2, 2021
Closed
@jiasli
Copy link
Contributor

jiasli commented Sep 3, 2021

Moved from AzureAD/microsoft-authentication-library-for-dotnet#2806 (comment)

Getting a certificate for VM SSH

As Azure CLI developer, another scenario I would like to bring out is VM SSH which requires getting a certificate through the data argument.

Why Azure CLI dropped Azure Identity

Azure Identity has explicitly dropped data (by removing kwargs) for user identities (Azure/azure-sdk-for-python#16397). In order to implement VM SSH, Azure CLI has to

  • Get an access token from Azure Identity
  • Get a certificate from MSAL

This of course introduces unnecessary duplication, as Azure CLI will have to work dual-stack-ly. If Azure CLI can get a certificate from MSAL, why can't it use the same flow to get an access token from MSAL?

After careful consideration, Azure CLI dropped Azure Identity and directly uses MSAL. Even for managed identity, Azure CLI will not use Azure Identity given there will be no data support in the future. (The Azure Identity for managed identity migration on beta has been reverted.)

The current libraries Azure CLI beta uses are

  • MSAL: User / Service Principal
  • msrestazure (deprecated): Managed Identity / Cloud Shell

Possible solutions for supporting managed identity

As msrestazure as been deprecated as well, Azure CLI must move away from msrestazure. Possible solutions:

  1. Azure CLI implements managed identity by itself. This will of course take big amount of effort and the code can't be shared by other SDK tools.
  2. MSAL implements managed identity and Azure CLI directly uses MSAL for managed identity. The code can of course be utilized by other Azure libraries.

Additional information

Per How to use managed identities for Azure resources on an Azure VM to acquire an access token

GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01
     &resource=https://management.azure.com/' HTTP/1.1 Metadata: true

managed identity's endpoint has some limitations:

  • It still only accepts resource which is an ADAL concept. MSAL now uses scopes. If there will be no changes on managed identity and MSAL whats to support it, MSAL must bring back the old resource interface.
  • There is no data support. We are not sure what the future design would be to support getting a certificate for VM SSH.

Reference email: VM SSH with managed identity

@rayluo rayluo reopened this Sep 3, 2021
@jiasli
Copy link
Contributor

jiasli commented Nov 23, 2021

By the way, the name "MSI" has been deprecated:

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

@rayluo rayluo changed the title Support MSI Support Managed Identity (formerly known as MSI) Nov 23, 2021
@bh7cw
Copy link

bh7cw commented Mar 8, 2022

@jiasli From what you posted about Managed Identity:

managed identity's endpoint has some limitations:

It still only accepts resource which is an ADAL concept. MSAL now uses scopes. If there will be no changes on managed identity and MSAL whats to support it, MSAL must bring back the old resource interface.
There is no data support. We are not sure what the future design would be to support getting a certificate for VM SSH.

Are you implying that managed identity is using ADAL? Are there any updates since ADAL is migrating into MSAL and ADAL will be deprecated on June 30, 2022?

@rayluo
Copy link
Collaborator Author

rayluo commented Mar 9, 2022

Are you implying that managed identity is using ADAL?

Actually, they are independent with each other. It was just that Managed Identity protocol and ADAL design happened to be created in around the same era therefore shared some concepts.

Are there any updates since ADAL is migrating into MSAL and ADAL will be deprecated on June 30, 2022?

Neither ADAL Python nor MSAL Python supports Managed Identity. This issue remains open so that we can keep track of this feature requirement for MSAL Python.

@xiangyan99 xiangyan99 mentioned this issue Sep 16, 2022
Closed
This was referenced Oct 11, 2022
Closed
Closed
This was referenced Dec 9, 2022
Open
Open
@pievalentin pievalentin mentioned this issue Apr 5, 2023
Closed
@bgavrilMS
Copy link
Member

@rayluo - is this not done?

@rayluo rayluo linked a pull request Apr 10, 2024 that will close this issue
Managed Identity for Azure VM, App Service, Service Fabric, etc. #480
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement feature request
Projects
None yet
Milestone
No milestone
5 participants
@rayluo @jiasli @navyasric @bgavrilMS @bh7cw