question

ShaharGlazner-0204 avatar image
0 Votes"
ShaharGlazner-0204 asked ·

Metadata Service and Managed Identity weird behavior

Hi,

I'm experiencing some weird behavior using Managed Identities and Azure Metadata Instance Service.

According to the documentation, if I want an access token for the System Assigned Identity, I need to query Azure Metadata Instance Service without any Client ID.

Also according to the documentation, if I want an access token for a User Assigned Identity, I need to specify the client id of which represents that identity.

This works fine if I first assign the System Assigned Identity and only after I assign the User Assigned Identity.

But if I first create the VM with User Assigned Identity (e.g. using --assign-identity %user_identity% in Azure CLI) and only after I assign it with System Assigned Identity, when I'm querying Azure Metadata Service without any client id, I'm getting the access token for the User Assigned Identity instead of the access token for the System Assigned Identity.

In addition, because the Client ID of a System Assigned Identity isn't exposed through the API (I have only the Object ID), I can't retrieve that access token in any other way.

I can reproduce this behavior and for example, I have a VM named shaharVM4 which I created with user assigned identity (using --assign-identity) and after that, I assigned it with system-assigned identity using Azure Portal.

We can easily see that this VM have now both user-assigned and system-assigned identities:

 az vm identity show  --resource-group shaharGroup --name shaharVM4
 {
   "principalId": "d54100ed-71e9-41c1-8af1-161c2855305f",
   "tenantId": "df242c82-fe4a-47e0-b0f4-e3cb7f8104f1",
   "type": "SystemAssigned, UserAssigned",
   "userAssignedIdentities": {
     "/subscriptions/0ee9e8ab-89fd-437f-abbb-6b062d5b0485/resourceGroups/shaharGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/shaharidentity": {
       "clientId": "7230cc60-8b9b-4bae-a57a-666a668f772a",
       "principalId": "14751f4a-d914-4aef-847b-49ab81c21128"
     }
   }
 }

But if I query the Metadata Service without any client id, I get the user assigned as default:
(you can notice that the retrieved client_id is of the user assigned identity and NOT of the system-assigned)

 curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" -H Metadata:true -s | jq .
 {
   "access_token": "...",
   "client_id": "7230cc60-8b9b-4bae-a57a-666a668f772a",
   "expires_in": "28800",
   "expires_on": "1574976193",
   "ext_expires_in": "28800",
   "not_before": "1574947093",
   "resource": "https://management.azure.com/",
   "token_type": "Bearer"
 }

Should this be happening? Is there any way to bypass it?

Thanks!



azure-active-directoryazure-webappsazure-virtual-machines
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you elaborate on the issues this is causing? What exactly is the end goal you are looking to achieve?

0 Votes 0 · ·

@MicahMcKittrick-MSFT

The issue its causing is that I can't get an access token for the system-assigned identity.

My end goal is a bit complicated to explain in a comment, but I want to create integration between a product I'm working on and Azure.

Do you see the issue or still missing what I'm trying to do?

0 Votes 0 · ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@ShaharGlazner-0204, I tested the both the "User Assigned Managed Identity" and "System Assigned Managed Identity" fro a VM.


 PS C:\windows\system32> az vm identity show  --resource-group MyRG --name Win10ClientVM
 {
   "principalId": "0026b60a-0c5c-46f5-91bf-b52a3e20d326",
   "tenantId": "xxxx-xxxx-xxxxx-xxxxxx",
   "type": "SystemAssigned, UserAssigned",
   "userAssignedIdentities": {
     "/subscriptions/xxxx-xxxx-xxxx-xxxxxx/resourceGroups/MyRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UMSI1": {
       "clientId": "065a5b93-d459-428d-a156-3b523dd8aa91",
       "principalId": "d8c1b46c-3a3d-45e8-8380-dbd41279874c"
     }
   }
 }

Ideally, if you use the following command, you should get a token issued to System Assigned Managed Identity

 $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -UseBasicParsing -Method GET -Headers @{Metadata="true"}

While, if you use the following command, with the ObjectID mentioned in it, you should get the token issued the User Assigned Managed Identity object.

 $response1 = Invoke-WebRequest -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&object_id=d8c1b46c-3a3d-45e8-8380-dbd41279874c" -UseBasicParsing -Method GET -Headers @{Metadata="true"}

This is irrespective of that fact that whether you had enabled the System Assigned Managed Identity first or User Assigned Managed Identity first.

Hope this helps. Do let us know if more queries pop up around this so that we can help you further.



Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShaharGlazner-0204 avatar image
0 Votes"
ShaharGlazner-0204 answered ·

Thanks @soumi-MSFT, but that's still not what I'm looking for.

Consider you have a server without any identity. Then, you assign it a user identity. Now, querying the Metadata service without any client_id or object_id, will return you a token for the user-assigned identity.

Now, if you will assign also system-assign identity, how do you get a token for this identity? If you don't use any client_id/object_id, you will get the identity for the user-assigned (that's the odd behavior). You don't have client_id for that identity, because it's system-assigned and you can't control it. You have only the object id.

 az vm identity show --resource-group shaharGroup --name shaharVM5
 {
   "principalId": "80595d5f-a106-46da-a7ac-76beeae3a9cc",
   "tenantId": "df242c82-fe4a-47e0-b0f4-e3cb7f8104f1",
   "type": "SystemAssigned, UserAssigned",
   "userAssignedIdentities": {
     "/subscriptions/0ee9e8ab-89fd-437f-abbb-6b062d5b0485/resourceGroups/shaharGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/shaharidentity": {
       "clientId": "7230cc60-8b9b-4bae-a57a-666a668f772a",
       "principalId": "14751f4a-d914-4aef-847b-49ab81c21128"
     }
   }
 }

Then when I try to get an identity token for the system-assigned identity:

 curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-06-04&resource=https%3A%2F%2Fmanagement.azure.com%2F&object_id=80595d5f-a106-46da-a7ac-76beeae3a9cc"' -H Metadata:true -s | jq .
 {
   "error": "invalid_request",
   "error_description": "Identity not found"
 }

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DW-5175 avatar image
0 Votes"
DW-5175 answered ·

Hi

Is there any updater on this, as I am seeing the same behaviour access this key vault. In that it works without a client_id but fails when we supply one. This seems a bit odd.

Thanks

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.