Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Azure Identity] Python app running in the k8s pod failed while retrieving the token from MSI #17279

Closed
3 tasks done
Shuanglu opened this issue Mar 11, 2021 · 5 comments
Closed
3 tasks done

[Azure Identity] Python app running in the k8s pod failed while retrieving the token from MSI #17279

Shuanglu opened this issue Mar 11, 2021 · 5 comments
Assignees
@chlowell
Labels
Azure.Identity bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue.
Milestone
[2021] April

Comments

@Shuanglu
Copy link

Shuanglu commented Mar 11, 2021
edited
Loading

Describe the bug
Invoked below to retrieve the token for keyvault but failed at 'get_token()'. Use 'curl' to directly access the MSI endpoint works and 3rd party SDK works as well https://pypi.org/project/keyvaultlib/

    credential = DefaultAzureCredential()
    print("\nPass Default credential configuration")
    #print out the token value used to access the keyvault
    try:
        tokenValue = credential.credentials[1].get_token('https://vault.azure.net/.default')
    except Exception as ex:
        print("Failed to get token: {}".format(ex))
    else:
        print(tokenValue)

Exception or Stack Trace

string indices must be integers

Pass Default credential configuration
ManagedIdentityCredential.get_token failed: string indices must be integers
Failed to get token: string indices must be integers
Pass tokenValue
EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential.get_token failed: string indices must be integers
DefaultAzureCredential.get_token failed: ManagedIdentityCredential raised unexpected error "string indices must be integers"
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: **_string indices must be integers_**
Failed to get secret: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: string indices must be integers

To Reproduce
only can be reproduced in the specific environment

Code Snippet

    credential = DefaultAzureCredential()
    print("\nPass Default credential configuration")
    #print out the token value used to access the keyvault
    try:
        tokenValue = credential.credentials[1].get_token('https://vault.azure.net/.default')
    except Exception as ex:
        print("Failed to get token: {}".format(ex))
    else:
        print(tokenValue)

Expected behavior
The approach can get the access token

Screenshots
N/A

Setup (please complete the following information):

  • Python Version: [e.g. Python 3.8]
    Python 3.7(docker image: mcr.microsoft.com/azure-functions/python:3.0-python3.7-slim)
  • SDK Version: [e.g. azure-mgmt-resource-15.0.0b1]
    azure-identity==1.4.0
    azure-keyvault-secrets==4.2.0

Additional context
Add any other context about the problem here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@Shuanglu Shuanglu added the Mgmt This issue is related to a management-plane library. label Mar 11, 2021
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Mar 11, 2021
@Shuanglu Shuanglu changed the title [BUG Bash] Python app running in the k8s pod failed while retrieving the token from MSI [Azure Identity] Python app running in the k8s pod failed while retrieving the token from MSI Mar 11, 2021
@yunhaoling yunhaoling added Azure.Identity Client This issue points to a problem in the data-plane of the library. and removed Mgmt This issue is related to a management-plane library. labels Mar 11, 2021
@yunhaoling
Copy link
Contributor

thanks @Shuanglu for reaching out. We'll investigate this asap.
adding @chlowell who could further help on the issue.

@yunhaoling yunhaoling added bug This issue requires a change to an existing behavior in the product in order to be resolved. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Mar 11, 2021
@yunhaoling yunhaoling added this to the [2021] April milestone Mar 11, 2021
@chlowell
Copy link
Member

Thanks for opening this issue. I haven't seen this error before. My first thought is, the credential may be getting an unexpected payload from the managed identity endpoint. That is to say, not JSON. I would have expected a different error in such a case but if the credential somehow got a string instead of a dictionary (deserialized JSON), "string indices must be integers" makes sense.

Could you please collect some debugging information? I'm curious about the original exception, and the managed identity endpoint's response. If you configure a logger for DEBUG logging, you'll get a traceback of the original exception. If you pass logging_enable=True to the credential, it will log its HTTP sessions including any authentication secrets in them, so only do this if your log output is secure:

logger = logging.getLogger('azure')
logger.setLevel(logging.DEBUG)
credential = DefaultAzureCredential(logging_enable=True)

The log output will look something like this:

Request URL: 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net'
Request method: 'GET'
Request headers:
    'Metadata': 'true'
    'User-Agent': 'azsdk-python-identity/1.4.0 Python/3.6.9 (Linux-5.4.0-1040-azure-x86_64-with-Ubuntu-18.04-bionic)'
Request body:
This request has no body
Response status: 200
Response headers:
    'Content-Type': 'application/json; charset=utf-8'
    'Server': 'IMDS/150.870.65.492'
    'Date': 'Fri, 12 Mar 2021 00:26:16 GMT'
    'Content-Length': '1645'
Response content:
    ...

If debug-level logging isn't safe for your application, you can also simply configure an "azure" logger for INFO messages. The output won't include response bodies then, but it will at least show the content type of the managed identity response.

@chlowell chlowell added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Mar 12, 2021
@Shuanglu
Copy link
Author

Thanks for opening this issue. I haven't seen this error before. My first thought is, the credential may be getting an unexpected payload from the managed identity endpoint. That is to say, not JSON. I would have expected a different error in such a case but if the credential somehow got a string instead of a dictionary (deserialized JSON), "string indices must be integers" makes sense.

Could you please collect some debugging information? I'm curious about the original exception, and the managed identity endpoint's response. If you configure a logger for DEBUG logging, you'll get a traceback of the original exception. If you pass logging_enable=True to the credential, it will log its HTTP sessions including any authentication secrets in them, so only do this if your log output is secure:

logger = logging.getLogger('azure')
logger.setLevel(logging.DEBUG)
credential = DefaultAzureCredential(logging_enable=True)

The log output will look something like this:

Request URL: 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net'
Request method: 'GET'
Request headers:
    'Metadata': 'true'
    'User-Agent': 'azsdk-python-identity/1.4.0 Python/3.6.9 (Linux-5.4.0-1040-azure-x86_64-with-Ubuntu-18.04-bionic)'
Request body:
This request has no body
Response status: 200
Response headers:
    'Content-Type': 'application/json; charset=utf-8'
    'Server': 'IMDS/150.870.65.492'
    'Date': 'Fri, 12 Mar 2021 00:26:16 GMT'
    'Content-Length': '1645'
Response content:
    ...

If debug-level logging isn't safe for your application, you can also simply configure an "azure" logger for INFO messages. The output won't include response bodies then, but it will at least show the content type of the managed identity response.

Thanks a lot! will provide the debug log once I get that.

@ghost ghost added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Mar 12, 2021
@chlowell chlowell added needs-author-feedback Workflow: More information is needed from author to address the issue. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Mar 15, 2021
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Mar 23, 2021
@ghost
Copy link

ghost commented Mar 23, 2021

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@Shuanglu
Copy link
Author

Shuanglu commented Apr 3, 2021

Client discontinued. closing... thanks a ton for the support!

@Shuanglu Shuanglu closed this as completed Apr 3, 2021
@ghost ghost removed the no-recent-activity There has been no recent activity on this issue. label Apr 3, 2021
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chlowell chlowell

Labels
Azure.Identity bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue.
Projects
None yet
Milestone
[2021] April
Development

No branches or pull requests
3 participants
@Shuanglu @chlowell @yunhaoling