Authenticate with Managed Service Identity(MSI) does not run as written

Question

Authenticate with Managed Service Identity(MSI) does not run as written

GeekTrainer opened this issue 5 years ago · comments

Christopher Harrison commented 5 years ago

Attempted copy and paste of MSI sample, and receive the following error message:

raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='ip address', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f18a6d81f90>: Failed to establish a new connection: [Errno 101] Network is unreachable',))

Doug Erickson · Answer 1 · Fri Apr 12 2019 00:21:00 GMT+0800 (China Standard Time)

@sptramer -- can you investigate?

Stephen Tramer · Answer 2 · Fri Apr 12 2019 05:12:57 GMT+0800 (China Standard Time)

In order to sign in with an MSI, your Azure resource needs to be configured to use it. See How to configure MSI and How to sign in with MSI.

Investigating some other potential issues with this sample but configuring the resource for MSI resolved the HTTP connection problem.

Stephen Tramer · Answer 3 · Fri Apr 12 2019 07:15:56 GMT+0800 (China Standard Time)

@GeekTrainer It looks like this issue is because your VM resource might not be configured for MSI, and that MSI may not have an assigned role or scope. The best way to handle this is to use the CLI to create the MSI and assign scope at once:

az vm identity assign \
  -g DefaultRG \
  -n TestVM \
  --role Contributor \
  --scope /subscriptions/your-sub-here/resourceGroups/your-rg-here