Skip to content

Change arc mi's detection algorithm #731

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rayluo merged 1 commit into from
Aug 15, 2024
Merged

Change arc mi's detection algorithm #731

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions msal/managed_identity.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,17 @@ def _scope_to_resource(scope): # This is an experimental reasonable-effort appr
return scope # There is no much else we can do here


def _get_arc_endpoint():
if "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ:
return os.environ["IDENTITY_ENDPOINT"]
Comment on lines +320 to +321
Copy link
Contributor

@jiasli jiasli Aug 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If detecting /var/opt/azcmagent/bin/himds and %ProgramFiles%\AzureConnectedMachineAgent\himds.exe is a reliable method, why bother checking IDENTITY_ENDPOINT and IMDS_ENDPOINT?

Copy link
Contributor Author

@rayluo rayluo Aug 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, that is an open topic. @neha-bhargava asked the Arc team specifically on this but received no response.

The current implementation here aligns with the implementation in MSAL .Net. In any case, this subtlety shall be considered as an implementation detail, which might be adjusted in the future again.

Copy link

@neha-bhargava neha-bhargava Aug 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @rayluo. Added this in addition to env variable detection since env variables detection have been a success in case of windows. Might remove the env variable detection in future.

if ( # Defined in https://msazure.visualstudio.com/One/_wiki/wikis/One.wiki/233012/VM-Extension-Authoring-for-Arc?anchor=determining-which-endpoint-to-use
sys.platform == "linux" and os.path.exists("/var/opt/azcmagent/bin/himds")
or sys.platform == "win32" and os.path.exists(os.path.expandvars(
r"%ProgramFiles%\AzureConnectedMachineAgent\himds.exe"))
):
return "http://localhost:40342/metadata/identity/oauth2/token"


APP_SERVICE = object()
AZURE_ARC = object()
CLOUD_SHELL = object() # In MSAL Python, token acquisition was done by
Expand All @@ -338,7 +349,7 @@ def get_managed_identity_source():
return APP_SERVICE
if "MSI_ENDPOINT" in os.environ and "MSI_SECRET" in os.environ:
return MACHINE_LEARNING
if "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ:
if _get_arc_endpoint():
return AZURE_ARC
if _is_running_in_cloud_shell():
return CLOUD_SHELL
Expand Down Expand Up @@ -380,18 +391,15 @@ def _obtain_token(http_client, managed_identity, resource):
managed_identity,
resource,
)
if "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ:
arc_endpoint = _get_arc_endpoint()
if arc_endpoint:
if ManagedIdentity.is_user_assigned(managed_identity):
raise ManagedIdentityError( # Note: Azure Identity for Python raised exception too
"Invalid managed_identity parameter. "
"Azure Arc supports only system-assigned managed identity, "
"See also "
"https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-service")
return _obtain_token_on_arc(
http_client,
os.environ["IDENTITY_ENDPOINT"],
resource,
)
return _obtain_token_on_arc(http_client, arc_endpoint, resource)
return _obtain_token_on_azure_vm(http_client, managed_identity, resource)


Expand Down