Metadata Service and Managed Identity weird behavior

Shahar Glazner 1 Reputation point
2019-11-28T14:06:49.037+00:00

Hi,

I'm experiencing some weird behavior using Managed Identities and Azure Metadata Instance Service.

According to the documentation, if I want an access token for the System Assigned Identity, I need to query Azure Metadata Instance Service without any Client ID.

Also according to the documentation, if I want an access token for a User Assigned Identity, I need to specify the client id of which represents that identity.

This works fine if I first assign the System Assigned Identity and only after I assign the User Assigned Identity.

But if I first create the VM with User Assigned Identity (e.g. using --assign-identity %user_identity% in Azure CLI) and only after I assign it with System Assigned Identity, when I'm querying Azure Metadata Service without any client id, I'm getting the access token for the User Assigned Identity instead of the access token for the System Assigned Identity.

In addition, because the Client ID of a System Assigned Identity isn't exposed through the API (I have only the Object ID), I can't retrieve that access token in any other way.

I can reproduce this behavior and for example, I have a VM named shaharVM4 which I created with user assigned identity (using --assign-identity) and after that, I assigned it with system-assigned identity using Azure Portal.

We can easily see that this VM have now both user-assigned and system-assigned identities: 

az vm identity show  --resource-group shaharGroup --name shaharVM4  
{  
  "principalId": "d54100ed-71e9-41c1-8af1-161c2855305f",  
  "tenantId": "df242c82-fe4a-47e0-b0f4-e3cb7f8104f1",  
  "type": "SystemAssigned, UserAssigned",  
  "userAssignedIdentities": {  
    "/subscriptions/0ee9e8ab-89fd-437f-abbb-6b062d5b0485/resourceGroups/shaharGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/shaharidentity": {  
      "clientId": "7230cc60-8b9b-4bae-a57a-666a668f772a",  
      "principalId": "14751f4a-d914-4aef-847b-49ab81c21128"  
    }  
  }  
}

But if I query the Metadata Service without any client id, I get the user assigned as default:
(you can notice that the retrieved client_id is of the user assigned identity and NOT of the system-assigned) 

curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" -H Metadata:true -s | jq .  
{  
  "access_token": "...",  
  "client_id": "7230cc60-8b9b-4bae-a57a-666a668f772a",  
  "expires_in": "28800",  
  "expires_on": "1574976193",  
  "ext_expires_in": "28800",  
  "not_before": "1574947093",  
  "resource": "https://management.azure.com/",  
  "token_type": "Bearer"  
}

Should this be happening? Is there any way to bypass it?

Thanks!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,123 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,869 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2019-12-04T09:59:53.203+00:00

    @Shahar Glazner , I tested the both the "User Assigned Managed Identity" and "System Assigned Managed Identity" fro a VM. 

    PS C:\windows\system32> az vm identity show  --resource-group MyRG --name Win10ClientVM  
{  
  "principalId": "0026b60a-0c5c-46f5-91bf-b52a3e20d326",  
  "tenantId": "xxxx-xxxx-xxxxx-xxxxxx",  
  "type": "SystemAssigned, UserAssigned",  
  "userAssignedIdentities": {  
    "/subscriptions/xxxx-xxxx-xxxx-xxxxxx/resourceGroups/MyRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UMSI1": {  
      "clientId": "065a5b93-d459-428d-a156-3b523dd8aa91",  
      "principalId": "d8c1b46c-3a3d-45e8-8380-dbd41279874c"  
    }  
  }  
}

    Ideally, if you use the following command, you should get a token issued to System Assigned Managed Identity 

    $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -UseBasicParsing -Method GET -Headers @{Metadata="true"}

    While, if you use the following command, with the ObjectID mentioned in it, you should get the token issued the User Assigned Managed Identity object. 

    $response1 = Invoke-WebRequest -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&object_id=d8c1b46c-3a3d-45e8-8380-dbd41279874c" -UseBasicParsing -Method GET -Headers @{Metadata="true"}

    This is irrespective of that fact that whether you had enabled the System Assigned Managed Identity first or User Assigned Managed Identity first.

    Hope this helps. Do let us know if more queries pop up around this so that we can help you further.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    0 comments
  2. Shahar Glazner 1 Reputation point
    2019-12-10T12:28:22.717+00:00

    Thanks @soumi-MSFT , but that's still not what I'm looking for.

    Consider you have a server without any identity. Then, you assign it a user identity. Now, querying the Metadata service without any client_id or object_id, will return you a token for the user-assigned identity.

    Now, if you will assign also system-assign identity, how do you get a token for this identity? If you don't use any client_id/object_id, you will get the identity for the user-assigned (that's the odd behavior). You don't have client_id for that identity, because it's system-assigned and you can't control it. You have only the object id. 

    az vm identity show --resource-group shaharGroup --name shaharVM5  
{  
  "principalId": "80595d5f-a106-46da-a7ac-76beeae3a9cc",  
  "tenantId": "df242c82-fe4a-47e0-b0f4-e3cb7f8104f1",  
  "type": "SystemAssigned, UserAssigned",  
  "userAssignedIdentities": {  
    "/subscriptions/0ee9e8ab-89fd-437f-abbb-6b062d5b0485/resourceGroups/shaharGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/shaharidentity": {  
      "clientId": "7230cc60-8b9b-4bae-a57a-666a668f772a",  
      "principalId": "14751f4a-d914-4aef-847b-49ab81c21128"  
    }  
  }  
}

    Then when I try to get an identity token for the system-assigned identity: 

    curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-06-04&resource=https%3A%2F%2Fmanagement.azure.com%2F&object_id=80595d5f-a106-46da-a7ac-76beeae3a9cc"' -H Metadata:true -s | jq .  
{  
  "error": "invalid_request",  
  "error_description": "Identity not found"  
}
    0 comments
  3. DW 1 Reputation point
    2020-02-25T14:56:45.78+00:00

    Hi

    Is there any updater on this, as I am seeing the same behaviour access this key vault. In that it works without a client_id but fails when we supply one. This seems a bit odd.

    Thanks