accept ACI's non-JSON response to IMDS probe

Author: chlowell

sdk/azidentity/CHANGELOG.md

@@ -8,6 +8,7 @@
 
 ### Bugs Fixed
 * User credential types inconsistently log access token scopes
+* `DefaultAzureCredential` skips managed identity in Azure Container Instances
 
 ### Other Changes
 

sdk/azidentity/default_azure_credential_test.go

@@ -357,6 +357,27 @@ func TestDefaultAzureCredential_IMDS(t *testing.T) {
 				require.NoError(t, err, "DefaultAzureCredential should continue after receiving a non-JSON response from IMDS")
 			}
 		})
+
+		t.Run("Azure Container Instances", func(t *testing.T) {
+			// ensure GetToken returns an error if DefaultAzureCredential skips managed identity
+			before := defaultAzTokenProvider
+			defer func() { defaultAzTokenProvider = before }()
+			defaultAzTokenProvider = mockAzTokenProviderFailure
+
+			srv, close := mock.NewTLSServer(mock.WithTransformAllRequestsToTestServerUrl())
+			defer close()
+			srv.AppendResponse(mock.WithBody([]byte("Required metadata header not specified or not correct")), mock.WithStatusCode(http.StatusBadRequest))
+			srv.AppendResponse(mock.WithBody(accessTokenRespSuccess), mock.WithStatusCode(http.StatusOK))
+			cred, err := NewDefaultAzureCredential(&DefaultAzureCredentialOptions{
+				ClientOptions: policy.ClientOptions{
+					Transport: srv,
+				},
+			})
+			require.NoError(t, err)
+			tk, err := cred.GetToken(ctx, testTRO)
+			require.NoError(t, err, "DefaultAzureCredential should accept ACI's response to the probe request")
+			require.Equal(t, tokenValue, tk.Token)
+		})
 	})
 
 	t.Run("timeout", func(t *testing.T) {

sdk/azidentity/managed_identity_client.go

@@ -230,16 +230,19 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 			}
 			return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)
 		}
-		// because IMDS always responds with JSON, assume a non-JSON response is from something else, such
-		// as a proxy, and return credentialUnavailableError so DefaultAzureCredential continues iterating
+		// Determine whether the response is from IMDS, a service whose managed identity API imitates IMDS such as Azure
+		// Container Instances (ACI), or something other than a managed identity API. Assume a JSON response is from IMDS.
+		// If the response is not JSON, check for a known ACI error message. If the response is neither JSON nor an ACI
+		// error, assume it's from something like a proxy and return credentialUnavailableError so DefaultAzureCredential
+		// continues to its next credential.
 		b, err := azruntime.Payload(res)
 		if err != nil {
 			return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, fmt.Sprintf("failed to read IMDS probe response: %s", err))
 		}
-		if !json.Valid(b) {
+		if !json.Valid(b) && !strings.HasPrefix(string(b), "Required metadata header") {
 			return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "unexpected response to IMDS probe")
 		}
-		// send normal token requests from now on because IMDS responded
+		// send normal token requests from now on because IMDS, or something imitating it, responded
 		c.probeIMDS = false
 	}