-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Updated api-version When Authenticating in Azure Container App With MSI_ENDPOINT #21616
Comments
Hello, I confirm the issue also with the provider AzureAD (last version). From my point of view, the best way to resolve this issue would be to have a dedicated env variable that could be used to customize the API version (ARM_MSI_APIVERSION ?). This is already available for the endpoint itself (ARM_MSI_ENDPOINT), having this new environment variable will keep the same philosophy. Kind regards, Lucas. |
Thanks @MS-LUF |
Any update on this request please? |
hi! we are facing the exact same issue running inside an azure app service. # this is required for MSI to work in app service
- export ARM_USE_MSI=true
# this parameter is required for MSI to work in app service, it changes the URL from the welll-known http://169.254.169.254/metadata/identity/oauth2/token
# to the MSI for app service: 'http://169.254.129.5:8081/msi/token'
# see ISSUE: https://github.com/hashicorp/terraform-provider-azurerm/issues/21616
# the IDENTITY_ENDPOINT is auto-popoulated from the app service, see : https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Cdotnet#rest-endpoint-reference
- export ARM_MSI_ENDPOINT=$IDENTITY_ENDPOINT
# we set the ARM_CLIENT_ID to the client id of the app service ( UMI ) then we just run a simple main.tf : terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.75.0"
}
}
backend "http" {
}
}
# provider block
provider "azurerm" {
skip_provider_registration = true
features {}
}
# data resource for the current user
data "azurerm_client_config" "current" {}
# resource group , named after the current user id
resource "azurerm_resource_group" "rg" {
name = "rg-umi-${data.azurerm_client_config.current.client_id}"
location = "westeurope"
}
and we get the error:
|
I have the same issue but within Container Apps.
{
"error": {
"code": "UnsupportedApiVersion",
"message": "The HTTP resource that matches the request URI 'http://localhost:42356/msi/token' does not support the API version '2018-02-01'.",
"innerError": null
}
} |
Any update on this problem? I can confirm that whit the version export API_VERSION="2019-08-01"
export RESPORCE_URI="https://management.azure.com/"
export TOKEN_AUTH_URI="$IDENTITY_ENDPOINT/?api-version=$API_VERSION&resource=$RESPORCE_URI"
curl -s -X GET -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" -H "Secret: $MSI_SECRET" -H "Content-Type: application/json" "$TOKEN_AUTH_URI" and get this:
|
Any update on this issue? |
Nice work @vermacodes. |
If this issue is of interest to you, can you please do a thumbs up on the PR that helps maintainers to prioritize the review. Thank you. Tagging @tombuildsstuff for attention. |
Is there an existing issue for this?
Community Note
Description
Authentication using
MSI_ENDPOINT
for Terraform in Azure Container App is using the theapi-version
2018-02-01
as shown in the error below.The
api-version
for authenticating in Azure Container App is2019-08-01
New or Affected Resource(s)/Data Source(s)
azurerm_resource_group
Potential Terraform Configuration
References
No response
The text was updated successfully, but these errors were encountered: