Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Managed Identity Service Connection Not Supported in All Agent Runtime Environments #328

Closed
lsuarez5280 opened this issue Jun 17, 2024 · 16 comments · May be fixed by #329
Closed

Managed Identity Service Connection Not Supported in All Agent Runtime Environments #328

lsuarez5280 opened this issue Jun 17, 2024 · 16 comments · May be fixed by #329
Labels
bug Something isn't working

Comments

@lsuarez5280
Copy link

lsuarez5280 commented Jun 17, 2024
edited
Loading

The following code in azure-arm-common.ts:357-361 is dated and too prescriptive, resulting in a failure to leverage Managed Identity in Azure Container Apps hosting my Azure Pipelines agents:

let apiVersion = "2018-02-01";
webRequest.uri = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=" + apiVersion + "&resource=" + resourceId;
webRequest.headers = {
    "Metadata": true
};

The current code results in the following debug output after two minutes from a pipeline using the AzureWebApp@1 task.

2024-06-16T10:07:46.2198904Z Got service connection details for Azure App Service:'[redacted]'
2024-06-16T10:07:46.2199146Z ##[debug]MSAL - getMSALToken called. force=undefined
2024-06-16T10:07:46.2199319Z ##[debug]agent.proxyurl=undefined
2024-06-16T10:07:46.2199492Z ##[debug]agent.proxybypasslist=undefined
2024-06-16T10:07:46.2199705Z ##[debug][Sun, 16 Jun 2024 10:07:43 GMT] : @azure/[email protected] : Info - acquireTokenByClientCredential called
2024-06-16T10:07:46.2199986Z ##[debug][Sun, 16 Jun 2024 10:07:44 GMT] : [a3cbad3d-90fb-452e-bac8-76e65feb7c77] : @azure/[email protected] : Info - Using appTokenProvider extensibility.
2024-06-16T10:07:46.2200221Z ##[debug]MSAL - ManagedIdentity is used.
2024-06-16T10:07:46.2200389Z ##[debug]CLIENT_RESETSTREAMONRETRY=undefined
2024-06-16T10:07:46.2200610Z ##[debug][GET]http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
2024-06-16T10:07:46.7059248Z ##[debug]Agent environment resources - Disk: / Available 10771.00 MB out of 20064.00 MB, Memory: Used 1434.00 MB out of 2667.00 MB, CPU: Usage 13.57%
2024-06-16T10:07:51.7054738Z ##[debug]Agent environment resources - Disk: / Available 10774.00 MB out of 20064.00 MB, Memory: Used 1448.00 MB out of 2667.00 MB, CPU: Usage 12.94%
2024-06-16T10:07:56.7060122Z ##[debug]Agent environment resources - Disk: / Available 10774.00 MB out of 20064.00 MB, Memory: Used 1451.00 MB out of 2667.00 MB, CPU: Usage 11.26%
...
2024-06-16T10:09:53.9885966Z ##[debug]Encountered a retriable error:ETIMEDOUT. Message: connect ETIMEDOUT 169.254.169.254:80.

As an example, the following is the constructed URL for obtaining MSI tokens based on the runtime environment of one replica of my agents.

http://localhost:42356/msi/token?api-version=2019-08-01&resource=https://management.azure.com

See an image capture from an example bash console session below:

image

I would suggest a backwards-compatible rewrite of the code to the following to leverage a more recent MSI API:

const useMsi2019 = process.env.IDENTITY_ENDPOINT && process.env.IDENTITY_HEADER;
const apiVersion = useMsi2019 ? "2019-08-01" : "2018-02-01";
const tokenEndpoint = useMsi2019 ? process.env.IDENTITY_ENDPOINT : "http://169.254.169.254/metadata/identity/oauth2/token";
webRequest.uri = `${tokenEndpoint}?api-version=${apiVersion}&resource=${resourceId}`;

webRequest.headers = {
    "Metadata": true
};

if (useMsi2019) {
    webRequest.headers["X-Identity-Header"] = process.env.IDENTITY_HEADER;
}

If this repository is accepting contributions, please tag me if desired and I'll submit a pull request with this information.
@lsuarez5280 lsuarez5280 mentioned this issue Jun 17, 2024
Open
@lsuarez5280
Copy link
Author

Could someone on the team clarify whether this issue and its pull request will be considered? The current radio silence doesn't give me any expectation as to whether monitoring this report is worth my effort. I've been keeping the pull request in sync with the latest from main for two and a half weeks now.

If the report and fix will be considered or there are any requests for modified code or test cases (aside from merging what I hope is a pending build fix for failures on main), I'm happy to be patient about it or submit additional commits, but please at least let me know what to expect.

While I debated internally if I should do this, I'm tagging you all in the hopes anyone at all actively contributing here will have some feedback:
@manolerazvan
@embetten
@cormacpayne
@DenisNikulin5
@LeftTwixWand
@starkmsu
@ismayilov-ismayil
@DmitriiBobreshev
@kirill-ivlev
@DergachevE
@onetocny
@aleksandrlevochkin
@vmapetr

@ataverascrespo
Copy link

@lsuarez5280 Unfortunately it doesn't seem like many external PRs get approved or even looked at in this repo. Been doing the same for my own PR since beginning of April

@lsuarez5280
Copy link
Author

Thanks @ataverascrespo. Quite a way to run an open source protect...

@v-schhabra
Copy link
Contributor

Hi @lsuarez5280
Apologies for the inconvenience caused by this issue.
This issue is already fixed in this PR. I hope now you are not having any issues with AzureWebApp task.
microsoft/azure-pipelines-tasks#20170

@lsuarez5280
Copy link
Author

lsuarez5280 commented Aug 7, 2024
edited
Loading

@v-schhabra The issue persists using task [email protected]. The impacted code identified in the original issue report is not using the @azure/msal-node package to retrieve tokens (in the managed identity scenario, @azure/identity would be more appropriate if an Azure library is desired here). Please review the original report link and associated pull request. I'm providing a full log dump below from my run moments ago. In particular, the behavior is demonstrated by the following log entries:

2024-08-07T04:58:36.6162064Z ##[debug]MSAL - ManagedIdentity is used.
2024-08-07T04:58:36.6162457Z ##[debug][GET]http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/

Full reproduction:

2024-08-07T04:58:30.5049150Z ##[section]Starting: Deploy Azure App Service
2024-08-07T04:58:30.5055435Z ==============================================================================
2024-08-07T04:58:30.5055514Z Task         : Azure App Service deploy
2024-08-07T04:58:30.5055559Z Description  : Deploy to Azure App Service a web, mobile, or API app using Docker, Java, .NET, .NET Core, Node.js, PHP, Python, or Ruby
2024-08-07T04:58:30.5055653Z Version      : 4.243.7
2024-08-07T04:58:30.5055689Z Author       : Microsoft Corporation
2024-08-07T04:58:30.5055731Z Help         : https://aka.ms/azureappservicetroubleshooting
2024-08-07T04:58:30.5055790Z ==============================================================================
2024-08-07T04:58:31.4241829Z ##[debug]Resource Utilization warnings is disabled, switch "DISABLE_RESOURCE_UTILIZATION_WARNINGS" variable to "true" if you want to enable it
2024-08-07T04:58:32.2188357Z ##[debug]Using node path: /azp/externals/node20_1/bin/node
2024-08-07T04:58:32.2986342Z ##[debug]agent.TempDirectory=/azp/_work/_temp
2024-08-07T04:58:32.2993405Z ##[debug]loading inputs and endpoints
2024-08-07T04:58:32.2996912Z ##[debug]loading INPUT_CONNECTIONTYPE
2024-08-07T04:58:32.3009912Z ##[debug]loading INPUT_CONNECTEDSERVICENAME
2024-08-07T04:58:32.3011187Z ##[debug]loading INPUT_PUBLISHPROFILEPATH
2024-08-07T04:58:32.3014031Z ##[debug]loading INPUT_WEBAPPKIND
2024-08-07T04:58:32.3014554Z ##[debug]loading INPUT_WEBAPPNAME
2024-08-07T04:58:32.3016694Z ##[debug]loading INPUT_DEPLOYTOSLOTORASEFLAG
2024-08-07T04:58:32.3017898Z ##[debug]loading INPUT_SLOTNAME
2024-08-07T04:58:32.3020854Z ##[debug]loading INPUT_DOCKERIMAGETAG
2024-08-07T04:58:32.3021900Z ##[debug]loading INPUT_PACKAGE
2024-08-07T04:58:32.3024708Z ##[debug]loading INPUT_SCRIPTPATH
2024-08-07T04:58:32.3027325Z ##[debug]loading INPUT_USEWEBDEPLOY
2024-08-07T04:58:32.3030542Z ##[debug]loading INPUT_DEPLOYMENTTYPE
2024-08-07T04:58:32.3031937Z ##[debug]loading INPUT_TAKEAPPOFFLINEFLAG
2024-08-07T04:58:32.3035179Z ##[debug]loading INPUT_SETPARAMETERSFILE
2024-08-07T04:58:32.3036235Z ##[debug]loading INPUT_REMOVEADDITIONALFILESFLAG
2024-08-07T04:58:32.3037529Z ##[debug]loading INPUT_EXCLUDEFILESFROMAPPDATAFLAG
2024-08-07T04:58:32.3040261Z ##[debug]loading INPUT_RENAMEFILESFLAG
2024-08-07T04:58:32.3041192Z ##[debug]loading INPUT_XMLTRANSFORMATION
2024-08-07T04:58:32.3042479Z ##[debug]loading INPUT_XMLVARIABLESUBSTITUTION
2024-08-07T04:58:32.3043335Z ##[debug]loading ENDPOINT_AUTH_accce13c-6294-4363-b2ff-b6648877cd2a
2024-08-07T04:58:32.3046410Z ##[debug]loading ENDPOINT_AUTH_SCHEME_accce13c-6294-4363-b2ff-b6648877cd2a
2024-08-07T04:58:32.3047769Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_accce13c-6294-4363-b2ff-b6648877cd2a_TENANTID
2024-08-07T04:58:32.3049542Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2024-08-07T04:58:32.3050327Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2024-08-07T04:58:32.3052012Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2024-08-07T04:58:32.3055593Z ##[debug]loaded 25
2024-08-07T04:58:32.3059788Z ##[debug]Agent.ProxyUrl=undefined
2024-08-07T04:58:32.3060144Z ##[debug]Agent.CAInfo=undefined
2024-08-07T04:58:32.3060766Z ##[debug]Agent.ClientCert=undefined
2024-08-07T04:58:32.3061084Z ##[debug]Agent.SkipCertValidation=undefined
2024-08-07T04:58:32.5206326Z ##[debug]agent.proxyurl=undefined
2024-08-07T04:58:32.5206810Z ##[debug]VSTS_ARM_REST_IGNORE_SSL_ERRORS=undefined
2024-08-07T04:58:32.5207236Z ##[debug]AZURE_HTTP_USER_AGENT=VSTS_017117f5-9491-4e71-b770-aead6558987c_Release__253_788_4
2024-08-07T04:58:32.5228884Z ##[debug]check path : /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.5232030Z ##[debug]adding resource file: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.5232511Z ##[debug]system.culture=en-US
2024-08-07T04:58:32.8221023Z ##[debug]Using msalv2
2024-08-07T04:58:32.9041377Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9042285Z ##[debug]Agent.TempDirectory=/azp/_work/_temp
2024-08-07T04:58:32.9042715Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9054111Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9054756Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9059528Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9060199Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9074399Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9081526Z ##[debug]Resource file has already set to: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-azure-arm-rest/module.json
2024-08-07T04:58:32.9107510Z ##[debug]check path : /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/task.json
2024-08-07T04:58:32.9108081Z ##[debug]adding resource file: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/task.json
2024-08-07T04:58:32.9108533Z ##[debug]system.culture=en-US
2024-08-07T04:58:32.9120263Z ##[debug]check path : /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-webdeployment-common/module.json
2024-08-07T04:58:32.9120872Z ##[debug]adding resource file: /azp/_work/_tasks/AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1/4.243.7/node_modules/azure-pipelines-tasks-webdeployment-common/module.json
2024-08-07T04:58:32.9121304Z ##[debug]system.culture=en-US
2024-08-07T04:58:32.9131491Z ##[debug]ConnectionType=AzureRM
2024-08-07T04:58:32.9132472Z ##[debug]WebAppKind=webAppLinux
2024-08-07T04:58:32.9134620Z ##[debug]DeployToSlotOrASEFlag=false
2024-08-07T04:58:32.9134947Z ##[debug]GenerateWebConfig=undefined
2024-08-07T04:58:32.9135253Z ##[debug]WebConfigParameters=undefined
2024-08-07T04:58:32.9135553Z ##[debug]XmlTransformation=false
2024-08-07T04:58:32.9136119Z ##[debug]JSONFiles=undefined
2024-08-07T04:58:32.9137727Z ##[debug]XmlVariableSubstitution=false
2024-08-07T04:58:32.9139048Z ##[debug]TakeAppOfflineFlag=true
2024-08-07T04:58:32.9139917Z ##[debug]RenameFilesFlag=true
2024-08-07T04:58:32.9140108Z ##[debug]AdditionalArguments=undefined
2024-08-07T04:58:32.9140520Z ##[debug]ScriptType=undefined
2024-08-07T04:58:32.9141014Z ##[debug]InlineScript=undefined
2024-08-07T04:58:32.9141470Z ##[debug]ScriptPath=/azp/_work/r1/a
2024-08-07T04:58:32.9142018Z ##[debug]DockerNamespace=undefined
2024-08-07T04:58:32.9142477Z ##[debug]AppSettings=undefined
2024-08-07T04:58:32.9142917Z ##[debug]StartupCommand=undefined
2024-08-07T04:58:32.9143608Z ##[debug]ConfigurationSettings=undefined
2024-08-07T04:58:32.9144122Z ##[debug]ConnectedServiceName=accce13c-6294-4363-b2ff-b6648877cd2a
2024-08-07T04:58:32.9144624Z ##[debug]WebAppName=slf-idp-devca-web
2024-08-07T04:58:35.0081272Z ##[debug]Agent environment resources - Disk: / Available 10250.52 MB out of 20064.36 MB, Memory: Used 1399.00 MB out of 2667.00 MB, CPU: Usage 0.91%
2024-08-07T04:58:35.7772307Z ##[debug]Processed: ##vso[telemetry.publish area=TaskEndpointId;feature=AzureRmWebAppDeployment]{"endpointId":"accce13c-6294-4363-b2ff-b6648877cd2a"}
2024-08-07T04:58:35.7772929Z ##[debug]Package=/azp/_work/r1/a/**/*.zip
2024-08-07T04:58:35.7773166Z ##[debug]Finding files matching input: /azp/_work/r1/a/**/*.zip
2024-08-07T04:58:35.7773406Z ##[debug]Matching glob pattern: /azp/_work/r1/a/**/*.zip
2024-08-07T04:58:35.7773628Z ##[debug]Index of first wildcard: 16
2024-08-07T04:58:35.7773832Z ##[debug]find root dir: /azp/_work/r1/a/
2024-08-07T04:58:35.7774043Z ##[debug]findPath: '/azp/_work/r1/a/'
2024-08-07T04:58:35.7774278Z ##[debug]findOptions.allowBrokenSymbolicLinks: 'false'
2024-08-07T04:58:35.7774514Z ##[debug]findOptions.followSpecifiedSymbolicLink: 'true'
2024-08-07T04:58:35.7774736Z ##[debug]findOptions.followSymbolicLinks: 'true'
2024-08-07T04:58:35.7774960Z ##[debug]findOptions.skipMissingFiles: 'false'
2024-08-07T04:58:35.7775180Z ##[debug]  /azp/_work/r1/a/ (directory)
2024-08-07T04:58:35.7775413Z ##[debug]  /azp/_work/r1/a/_DIP Pilot - Web App (directory)
2024-08-07T04:58:35.7775650Z ##[debug]  /azp/_work/r1/a/_DIP Pilot - Web App/dip-drop (directory)
2024-08-07T04:58:35.7775883Z ##[debug]  /azp/_work/r1/a/_DIP Pilot - Web App/dip-drop/605.zip (file)
2024-08-07T04:58:35.7776098Z ##[debug]4 results
2024-08-07T04:58:35.7776295Z ##[debug]patternRoot: ''
2024-08-07T04:58:35.7776503Z ##[debug]matchOptions.debug: 'undefined'
2024-08-07T04:58:35.7776713Z ##[debug]matchOptions.nobrace: 'undefined'
2024-08-07T04:58:35.7776936Z ##[debug]matchOptions.noglobstar: 'undefined'
2024-08-07T04:58:35.7777152Z ##[debug]matchOptions.dot: 'undefined'
2024-08-07T04:58:35.7777373Z ##[debug]matchOptions.noext: 'undefined'
2024-08-07T04:58:35.7777580Z ##[debug]matchOptions.nocase: 'false'
2024-08-07T04:58:35.7777799Z ##[debug]matchOptions.nonull: 'undefined'
2024-08-07T04:58:35.7778014Z ##[debug]matchOptions.matchBase: 'true'
2024-08-07T04:58:35.7778228Z ##[debug]matchOptions.nocomment: 'undefined'
2024-08-07T04:58:35.7778445Z ##[debug]matchOptions.nonegate: 'undefined'
2024-08-07T04:58:35.7778667Z ##[debug]matchOptions.flipNegate: 'undefined'
2024-08-07T04:58:35.7778884Z ##[debug]pattern: '/azp/_work/r1/a/**/*.zip'
2024-08-07T04:58:35.7779089Z ##[debug]expanding braces
2024-08-07T04:58:35.7779290Z ##[debug]applying include pattern against original list
2024-08-07T04:58:35.7779460Z ##[debug]1 matches
2024-08-07T04:58:35.7779615Z ##[debug]1 final results
2024-08-07T04:58:35.7779801Z ##[debug]intially web config parameters :undefined
2024-08-07T04:58:35.7779983Z ##[debug]This is zip package 
2024-08-07T04:58:35.7780148Z ##[debug]RuntimeStack=undefined
2024-08-07T04:58:36.6150555Z ##[debug]Processed: ##vso[telemetry.publish area=AdditionalArgumentsVerification;feature=AzureRmWebAppDeployment]{"doubleQuoteCount":0,"singleQuoteCount":0,"escapeCharCount":0,"spaceCharCount":0,"totalArgs":0}
2024-08-07T04:58:36.6151115Z ##[debug]Depolyment started for linux app service
2024-08-07T04:58:36.6151316Z ##[debug]release.releaseId=253
2024-08-07T04:58:36.6151500Z ##[debug]system.defaultworkingdirectory=/azp/_work/r1/a
2024-08-07T04:58:36.6151685Z ##[debug]release.artifacts._DIP Pilot - Web App.definitionId=10
2024-08-07T04:58:36.6151881Z ##[debug]Artifact alias of package is: _DIP Pilot - Web App
2024-08-07T04:58:36.6152079Z ##[debug]set Azure_App_Service_Deploy_PackageArtifactAlias=_DIP Pilot - Web App
2024-08-07T04:58:36.6152713Z ##[debug]Processed: ##vso[task.setvariable variable=Azure_App_Service_Deploy_PackageArtifactAlias;isOutput=false;issecret=false;]_DIP Pilot - Web App
2024-08-07T04:58:36.6152949Z ##[debug]Predeployment Step Started
2024-08-07T04:58:36.6153429Z ##[debug]USE_MSAL=true
2024-08-07T04:58:36.6153593Z ##[debug]MSAL - USE_MSAL override is found: true
2024-08-07T04:58:36.6153795Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a auth scheme = ManagedServiceIdentity
2024-08-07T04:58:36.6154022Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data subscriptionid = 42ddf85d-56f3-407c-9b1c-f87052f6eee9
2024-08-07T04:58:36.6154331Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data subscriptionname = idp-dev-ca
2024-08-07T04:58:36.6154542Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a auth param serviceprincipalid = undefined
2024-08-07T04:58:36.6154763Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data activeDirectoryAuthority = https://login.microsoftonline.com/
2024-08-07T04:58:36.6154996Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a auth param tenantid = 72562755-cb91-4151-a2e8-c0ea2b6085f6
2024-08-07T04:58:36.6155217Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a=https://management.azure.com/
2024-08-07T04:58:36.6155426Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data environment = AzureCloud
2024-08-07T04:58:36.6155638Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a auth scheme = ManagedServiceIdentity
2024-08-07T04:58:36.6155838Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data msiclientId = undefined
2024-08-07T04:58:36.6156071Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data activeDirectoryServiceEndpointResourceId = https://management.core.windows.net/
2024-08-07T04:58:36.6156324Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data AzureKeyVaultServiceEndpointResourceId = https://vault.azure.net
2024-08-07T04:58:36.6156558Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data AzureKeyVaultDnsSuffix = vault.azure.net
2024-08-07T04:58:36.6156775Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data ScopeLevel = Subscription
2024-08-07T04:58:36.6156980Z ##[debug]MSAL - getEndpoint - useGraphActiveDirectoryResource=false
2024-08-07T04:58:36.6157161Z ##[debug]MSAL - getEndpoint - useMSAL=true
2024-08-07T04:58:36.6157553Z ##[debug]MSAL - getEndpoint - endpoint={"subscriptionID":"42ddf85d-56f3-407c-9b1c-f87052f6eee9","subscriptionName":"idp-dev-ca","environmentAuthorityUrl":"https://login.microsoftonline.com/","tenantID":"72562755-cb91-4151-a2e8-c0ea2b6085f6","url":"https://management.azure.com/","environment":"AzureCloud","scheme":"ManagedServiceIdentity","activeDirectoryResourceID":"https://management.core.windows.net/","azureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","azureKeyVaultDnsSuffix":"vault.azure.net","scopeLevel":"Subscription"}
2024-08-07T04:58:36.6157976Z ##[debug]MSAL - getEndpoint - connectedServiceName=accce13c-6294-4363-b2ff-b6648877cd2a
2024-08-07T04:58:36.6158191Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a auth param authenticationType = undefined
2024-08-07T04:58:36.6158406Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a data EnableAdfsAuthentication = false
2024-08-07T04:58:36.6158615Z ##[debug]accce13c-6294-4363-b2ff-b6648877cd2a auth param apitoken = undefined
2024-08-07T04:58:36.6159242Z ##[debug]{"subscriptionID":"42ddf85d-56f3-407c-9b1c-f87052f6eee9","subscriptionName":"idp-dev-ca","environmentAuthorityUrl":"https://login.microsoftonline.com/","tenantID":"72562755-cb91-4151-a2e8-c0ea2b6085f6","url":"https://management.azure.com/","environment":"AzureCloud","scheme":"ManagedServiceIdentity","activeDirectoryResourceID":"https://management.azure.com/","azureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","azureKeyVaultDnsSuffix":"vault.azure.net","scopeLevel":"Subscription","isADFSEnabled":false,"applicationTokenCredentials":{"connectedServiceName":"accce13c-6294-4363-b2ff-b6648877cd2a","tenantId":"72562755-cb91-4151-a2e8-c0ea2b6085f6","baseUrl":"https://management.azure.com/","authorityUrl":"https://login.microsoftonline.com/","activeDirectoryResourceId":"https://management.azure.com/","isAzureStackEnvironment":false,"scheme":0,"isADFSEnabled":false,"useMSAL":true,"tokenMutex":{"_semaphore":{"_value":1,"_cancelError":{},"_weightedQueues":[],"_weightedWaiters":[]}}}}
2024-08-07T04:58:36.6160348Z Got service connection details for Azure App Service:'slf-idp-devca-web'
2024-08-07T04:58:36.6160548Z ##[debug]MSAL - getMSALToken called. force=undefined
2024-08-07T04:58:36.6160729Z ##[debug]agent.proxyurl=undefined
2024-08-07T04:58:36.6160907Z ##[debug]agent.proxybypasslist=undefined
2024-08-07T04:58:36.6161123Z ##[debug][Wed, 07 Aug 2024 04:58:32 GMT] : [] : @azure/[email protected] : Info - acquireTokenByClientCredential called
2024-08-07T04:58:36.6161502Z ##[debug][Wed, 07 Aug 2024 04:58:32 GMT] : [c1f1e2f7-c6c8-4200-8382-c150a3c2c407] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/72562755-cb91-4151-a2e8-c0ea2b6085f6/oauth2/v2.0/token.
2024-08-07T04:58:36.6161843Z ##[debug][Wed, 07 Aug 2024 04:58:32 GMT] : [c1f1e2f7-c6c8-4200-8382-c150a3c2c407] : @azure/[email protected] : Info - Using appTokenProvider extensibility.
2024-08-07T04:58:36.6162064Z ##[debug]MSAL - ManagedIdentity is used.
2024-08-07T04:58:36.6162241Z ##[debug]CLIENT_RESETSTREAMONRETRY=undefined
2024-08-07T04:58:36.6162457Z ##[debug][GET]http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
2024-08-07T05:00:43.9648290Z ##[debug]Encountered a retriable error:ETIMEDOUT. Message: connect ETIMEDOUT 169.254.169.254:80.

@v-schhabra
Copy link
Contributor

Will check and get back to you on this soon. Thanks for sharing the logs.

@lsuarez5280
Copy link
Author

lsuarez5280 commented Aug 28, 2024
edited
Loading

@v-schhabra Since you're the only one who's responded to this issue, I decided to address my query to you. Can you comment with any expectation I should have that the PR I've provided might be considered for a resolution of this issue, or should I abandon keeping it up to date?

My latest merge was unsuccessful but I don't want to troubleshoot this if my effort will ultimately be wasted.

@v-schhabra
Copy link
Contributor

Hi @lsuarez5280
Thanks for your contribution. Currently our team has started investigation on this and we are checking on what exactly the issue is and what changes caused it. Maybe once we find out what is the issue, we can check your PR and take it forward for merging.

@nagarajku
Copy link

Hi @lsuarez5280 - Can you please share the detailed repro steps or configuration to check the issue.

@lsuarez5280
Copy link
Author

lsuarez5280 commented Sep 4, 2024
edited
Loading

@nagarajku The steps are as implied in the original issue report:

  1. Create a Docker agent image
  2. Push the agent image to Azure Container Registry
  3. Host a replica of the image in Azure Container Apps and configure to register with DevOps agent pool
  4. Create an Azure Resource Manager service connection that uses Managed Identity to connect
  5. Create an Azure App Service to receive a deployment
  6. Grant the Azure Container App managed identity Website Contributor RBAC permission on the app service
  7. Deploy to the App Service using AzureRmWebAppDeployment@4 leveraging the managed identity service connection

Irrespective of the specific reproduction steps used in my case, the code identified is requesting a dated API version of the MSI token API that is not supported by all potential Azure host runtimes and should be remediated. The DevOps team could reduce maintenance for this task by adopting @azure/identity to perform this task using DefaultAzureCredential (see samples).

@nagarajku
Copy link

Hi @lsuarez5280 - Hope you are doing well!!
I would like to provide an update on the issue, where we have followed the instructions to repro the issue at our side. Unfortunately, we couldn't see the issue getting reproduced.
Is it possible for a 1-1 connect to understand the issue? Thanks

@lsuarez5280
Copy link
Author

@nagarajku I will need some time to reproduce this. Addressing this issue has taken long enough that the pilot environment I was working in was decommissioned and I'll have to spin this up elsewhere.

@nagarajku
Copy link

Hi @lsuarez5280 - Reminder: do you have a setup ready to repro this issue as informed in the last conversation. Please let me know if it is ready, so that we can plan for a 1-1 connect to understand the issue.
Thanks

1 similar comment
@nagarajku
Copy link

Hi @lsuarez5280 - Reminder: do you have a setup ready to repro this issue as informed in the last conversation. Please let me know if it is ready, so that we can plan for a 1-1 connect to understand the issue.
Thanks

@nagarajku
Copy link

Hi @lsuarez5280 - Reminder: do you have a setup ready to repro this issue as informed in the last conversation. Please let me know if it is ready, so that we can plan for a 1-1 connect to understand the issue.
Thanks

@nagarajku
Copy link

Hi @lsuarez5280 - as we did not hear back, we are closing the issue. Feel free to reach us for any assistance.
Thanks

@v-schhabra v-schhabra added the bug Something isn't working label Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added support for MSI Token API v2019-08-01 lsuarez5280/azure-pipelines-tasks-common-packages
4 participants
@lsuarez5280 @v-schhabra @ataverascrespo @nagarajku