Skip to content

Commit

Permalink
Cloud Shell doesn't support user assigned identities (#16946)
Browse files Browse the repository at this point in the history
  • Loading branch information
chlowell authored Feb 1, 2022
1 parent f55e882 commit af2eedd
Showing 3 changed files with 22 additions and 3 deletions.
2 changes: 2 additions & 0 deletions sdk/azidentity/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -7,6 +7,8 @@
### Breaking Changes

### Bugs Fixed
* `ManagedIdentityCredential.GetToken()` now returns an error when configured for
a user assigned identity in Azure Cloud Shell (which doesn't support such identities)

### Other Changes

7 changes: 4 additions & 3 deletions sdk/azidentity/managed_identity_client.go
Original file line number Diff line number Diff line change
@@ -381,16 +381,17 @@ func (c *managedIdentityClient) createAzureArcAuthRequest(ctx context.Context, k
}

func (c *managedIdentityClient) createCloudShellAuthRequest(ctx context.Context, id ManagedIDKind, scopes []string) (*policy.Request, error) {
if id != nil {
msg := "Cloud Shell doesn't support user assigned managed identities. To authenticate the signed in user, omit ManagedIdentityCredentialOptions.ID"
return nil, newAuthenticationFailedError(errors.New(msg), nil) //lint:ignore ST1005 Cloud Shell is a proper noun
}
request, err := runtime.NewRequest(ctx, http.MethodPost, c.endpoint)
if err != nil {
return nil, err
}
request.Raw().Header.Set(headerMetadata, "true")
data := url.Values{}
data.Set("resource", strings.Join(scopes, " "))
if id != nil {
data.Set(qpClientID, id.String())
}
dataEncoded := data.Encode()
body := streaming.NopCloser(strings.NewReader(dataEncoded))
if err := request.SetBody(body, "application/x-www-form-urlencoded"); err != nil {
16 changes: 16 additions & 0 deletions sdk/azidentity/managed_identity_credential_test.go
Original file line number Diff line number Diff line change
@@ -164,6 +164,22 @@ func TestManagedIdentityCredential_CloudShell(t *testing.T) {
}
}

func TestManagedIdentityCredential_CloudShellUserAssigned(t *testing.T) {
setEnvironmentVariables(t, map[string]string{msiEndpoint: "http://localhost"})
for _, id := range []ManagedIDKind{ClientID("client-id"), ResourceID("/resource/id")} {
options := ManagedIdentityCredentialOptions{ID: id}
msiCred, err := NewManagedIdentityCredential(&options)
if err != nil {
t.Fatal(err)
}
_, err = msiCred.GetToken(context.Background(), policy.TokenRequestOptions{Scopes: []string{liveTestScope}})
var authErr AuthenticationFailedError
if !errors.As(err, &authErr) {
t.Fatal("expected AuthenticationFailedError")
}
}
}

func TestManagedIdentityCredential_GetTokenInAppServiceV20170901Mock_windows(t *testing.T) {
srv, close := mock.NewServer()
defer close()

0 comments on commit af2eedd

Please sign in to comment.