Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credential chains continue iterating after unexpected IMDS responses #23894

Merged
merged 8 commits into from
Jan 14, 2025
Merged

Credential chains continue iterating after unexpected IMDS responses #23894

merged 8 commits into from
Jan 14, 2025

Conversation

chlowell
Copy link
Member

@chlowell chlowell commented Dec 27, 2024
edited
Loading

Closes #23890 by fixing a regression in #23273, which had DefaultAzureCredential interpret a non-JSON response to its IMDS probe as indicating the server isn't IMDS or a supported imitator (I've filled the test gap that enabled the regression). This behavior is reasonable for IMDS, which always responds with JSON, but incorrect in general because ACI managed identity responds to the probe with a flat string.

The fix here is to accept any response to the probe request and return credentialUnavailableError when an IMDS token response has an unexpected format. This change in error type applies only when ManagedIdentityCredential is part of a credential chain. When used by itself, ManagedIdentityCredential still returns AuthenticationFailedError for an unexpected IMDS response.

@chlowell chlowell changed the title Fix DefaultAzureCredential skipping managed identity in Azure Container Instances Credential chains continue iterating after unexpected IMDS responses Jan 13, 2025
@chlowell chlowell self-assigned this Jan 13, 2025
@chlowell chlowell marked this pull request as ready for review January 13, 2025 23:02
@chlowell chlowell requested review from jhendrixMSFT, RickWinter and a team as code owners January 13, 2025 23:02
@chlowell chlowell merged commit 786b0be into main Jan 14, 2025
14 checks passed
@chlowell chlowell deleted the chlowell/dac-aci branch January 14, 2025 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhendrixMSFT jhendrixMSFT jhendrixMSFT approved these changes

@RickWinter RickWinter Awaiting requested review from RickWinter RickWinter is a code owner

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from Azure/azure-sdk-write-identity

@pvaneck pvaneck Awaiting requested review from pvaneck pvaneck is a code owner automatically assigned from Azure/azure-sdk-write-identity

@billwert billwert Awaiting requested review from billwert billwert is a code owner automatically assigned from Azure/azure-sdk-write-identity

@ahsonkhan ahsonkhan Awaiting requested review from ahsonkhan ahsonkhan is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@scottaddie scottaddie Awaiting requested review from scottaddie scottaddie is a code owner automatically assigned from Azure/azure-sdk-write-identity

@mpodwysocki mpodwysocki Awaiting requested review from mpodwysocki mpodwysocki is a code owner automatically assigned from Azure/azure-sdk-write-identity

Assignees

@chlowell chlowell

Labels
Azure.Identity
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DefaultAzureCredential in azidentity v1.8.0 rejects Azure Container Instance's IMDS
2 participants
@chlowell @jhendrixMSFT