Generate an access token with a Managed identity

[pievalentin]

• Package Name: azure-identity
• Package Version: 1.12.0
• Operating System: Ubuntu/ AzML
• Python Version: 3.8

Bug description

I am an Azure costumer. I can't use MSAL to generate an access token for the scope of my app reg using my managed identity.

I have this setup:

• I deployed an Azure function app that is validating access token of an Application registration. It checks that the Client has the correct role.
• I have a compute instance that is assigned a Managed identity. I want to send a HTTP request to my azure function with an access token generated for my Managed Identity.

I also asked the MSAL team, they only have a draft PR.
For a production environment, I would need an upstream solution.

To Reproduce

1. Create an app reg with a custom role
2. Create a managed identity
3. Assign the custom role to the managed identity
4. Create a compute instance and assigned it the managed identity
5. In the compute instance run:

from azure.identity import ManagedIdentityCredential
cred = ManagedIdentityCredential(client_id="<managed-identity-client-id>")
token = cred.get_token("api://<app-reg-client-id>/.default")

The code will run indefinitely

Expected behavior
After running token = cred.get_token("api://<app-reg-client-id>/.default") the token should be generated

What you see instead

Code is still running and no token is generated.

[kashifkhan]

Thank you for feedback @pievalentin . We will investigate and get back to you asap.

[xiangyan99]

Thanks for reaching out.

To help us understand the scenario better, you want to use the managed identity in an app that is deployed into an Azure virtual machine and access your Azure function?

Thanks.

[pievalentin]

To rephrase my context:
I assigned the managed identity to my compute instance. Now in Jupyter (in the future compute cluster) I want to call my protected Azure function with an access token.

[pievalentin]

Talking with a colleague, I think this applies to me
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#declare-roles-for-an-application
I have put the managed identity in a AD group that is mapped to my app-reg role.
Working now on directly making it a member

[pievalentin]

I fixed my issue, I had two issues:
My managed identity and my compute instance were not in the same subscription.
I also put the managed identity as a direct member of my app reg role.
Here is the snippet that retrieve a correct token:

from azure.identity import DefaultAzureCredential
cred = DefaultAzureCredential(managed_identity_client_id=os.environ["DEFAULT_IDENTITY_CLIENT_ID"])
token = cred.get_token("api://<areg-client-id>/.default")

But the code I showed in should have exited without hanging?

[xiangyan99]

Thanks for the information.

Yes. As you said, there were two problems.

One is managed identity is designed to access Azure resources. In your case, I believe the best choice would be to use service principal.

As you said, it should not hang. :)

In order to get more details, could you please enable the logging by adding

import logging
logging.basicConfig(filename='c:/temp/log.log', level=logging.DEBUG)

?

Thanks.