How do you get a token for an azure managed identity via REST interface?

2.2k views Asked by At

This question refers to the article:

https://learn.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity

I'm trying to figure out how I can simulate using the service principal that is generate for my azure application to work locally.

I followed the article and when I deploy azure function to azure and run it from there, I'm able to successfully use the MSI_ENDPOINT and the MSI_SECRET to successfully get the token. However, when i run the same deployment locally it fails. I use the exact same MSI_SECRET and change the MSI_ENDPOINT to the Domain that I use to the azure function endpoint.

Example: On azure the MSI_ENDPOINT = http://127.0.0.1:41831 and locally it is http://localhost:7071 (http://0.0.0.0:7071

However, when I run it locally I get a 404 error with the request. The request is http://0.0.0.0:7071/MSI/token?resource=https://vault.azure.net&api-version=2017-09-01 with the secret in the header. Exact same params with the working one loaded on azure except for the MSI_ENDPOINT.

Any advice on how to address this so I can run and test locally?

Using the Microsoft.Azure.Services.AppAuthentication library for .NET for .NET applications and functions, the simplest way to work with a managed identity is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine, using your user account from Visual Studio, the Azure CLI, or Active Directory Integrated Authentication. For more on local development options with this library, see the Microsoft.Azure.Services.AppAuthentication reference. This section shows you how to get started with the library in your code. Add references to the Microsoft.Azure.Services.AppAuthentication and Microsoft.Azure.KeyVault NuGet packages to your application.

However, this library is only available in .net which i'm not using and does not really explain how you would do it via REST call.

Thanks!

1

There are 1 answers

4
Alex AIT On

As far as I understand, MSI via REST works for you in the cloud, but not locally.

Unfortunately, it seems this is currently not easily possible when you can't use the AppAuthentication library. See this GitHub suggestion.

So if you don't want to hack some debug code into your production code, you probably need to host a "custom MSI proxy" locally which just performs the classic authentication via client credentials (appId + secret) to return the token.

curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>&resource=https%3A%2F%2Fvault.azure.net" https://login.microsoftonline.com/<removed_for_security>/oauth2/token

Note that I added the KeyVault as the resource parameter. See your built MSI URL - http://0.0.0.0:7071/MSI/token?resource=https://vault.azure.net&api-version=2017-09-01