Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Azure Identity] tenant_id is not honored by ManagedIdentityCredential.get_token #23080

Closed
jiasli opened this issue Feb 16, 2022 · 1 comment
Closed

[Azure Identity] tenant_id is not honored by ManagedIdentityCredential.get_token #23080

jiasli opened this issue Feb 16, 2022 · 1 comment
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage.

Comments

@jiasli
Copy link
Member

jiasli commented Feb 16, 2022
edited
Loading

  • Package Name: azure-identity
  • Package Version: 1.7.1

Describe the bug

#20940 added support for getting an access token from another tenant other than the tenant used in the constructor of the credential, using get_token(tenant_id=xxx) API.

However, as tested with this script in a VM with system assigned identity:

from azure.identity import ManagedIdentityCredential

cred = ManagedIdentityCredential()
print(cred.get_token('https://management.azure.com//.default', tenant_id='72f988bf-86f1-41af-91ab-2d7cd011db47'))

The access token decoded using https://jwt.ms/ still has

  "iss": "https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/",

Using this access token will fail to authenticate into resources.

The truth is managed identity doesn't support tenant_id and you simply can't get an access token for another tenant. See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http

Azure Identity should error out in such case, instead of returning the a token for the wrong tenant.
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 16, 2022
@azure-sdk azure-sdk added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage. labels Feb 16, 2022
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 16, 2022
@lmazuel
Copy link
Member

lmazuel commented Feb 18, 2022

Hi @jiasli

tenant_id should be seem as a hint of how to increase the odds of getting a valid token. If the scenario doesn't support that hint, the expectation is to ignore it. Otherwise, it means you could never used ever again KeyVault and ManagedIdentity, since KeyVault will always inject the tenant_id.

So by design, if the hint is not applicable, we ignore it.

But thank you for the issue, investigating it we discovered a problem:
#23138

@lmazuel lmazuel closed this as completed Feb 18, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lmazuel @jiasli @azure-sdk