Support Linux Hybrid Runbook Worker VM's Managed Identity
See original GitHub issueDescribe the bug
Running python script in az automation hybrid worker that uses azure.cli.core library to authenticate with a managed identity:
Command Name “az login --identity”
Error:
ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly.
that’s the output for the job in the automation account.
To Reproduce
- Configure a linux hybrid worker
- create a python3 runbook
- use the following code:
#!/usr/bin/env python3
import sys
import os
from azure.cli.core import get_default_cli
def main():
commnd = f'login --identity'
exAzCli(commnd, False) #login to azure cli using service principal credentials
subs = exAzCli('account list --all', False) #executing cli command
showingSubs(subs)
def exAzCli(str):
ipt = str.split()
azc = get_default_cli()
azc.invoke(ipt, out_file = open(os.devnull, 'w'))
if azc.result.result:
return azc.result.result
elif azc.result.error:
return '{"return": "error"}'
def showingSubs(subs):
for sub in subs:
print('Subscription "' + str(sub['name']) + '" is currently ' + str(sub['state']) + ' and has the Id: ' + str(sub['id']))
if __name__ == "__main__":
main()
Expected behavior The runbook should be able to authenticate using the managed identity
If we execute the script manually, without using the runbook, it will work
Environment summary
azure-cli 2.32.0 *core 2.32.0 * telemetry 1.0.6Extensions: automation 0.1.1Dependencies: msal 1.16.0 azure-mgmt-resource 20.0.0
Install Method
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
sudo apt-get install python3-pip
sudo -H pip3 install azure-cli-core
sudo -H pip3 install azure-cli
sudo apt-get install glibc-source
sudo apt-get install openssl
sudo apt-get install libpam-modules
Additional context
When we run the python code in the hybrid worker (in the console) it works fine, however when we execute the same code, through Azure automation, we are unable to login, and we received the error.
• If the same code uses SPN, it will work fine • We need to use an hybrid worker because the azure sandbox won’t allow to install the azure.core.cli dependencies • We can’t use powershell due to standardization of their cloud automation in all clouds
Issue Analytics
- State:
- Created a year ago
- Comments:6 (4 by maintainers)
Top GitHub Comments
@jiasli for awareness
It has been finalized that MSAL will support all variations of Managed Identity (https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/58). Once MSAL code is ready, we will adopt the latest MSAL.