Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Updated api-version When Authenticating in Azure Container App With MSI_ENDPOINT #21616

Open
1 task done
kabal2010 opened this issue May 1, 2023 · 10 comments
Open
1 task done

Comments

@kabal2010
Copy link

kabal2010 commented May 1, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Authentication using MSI_ENDPOINT for Terraform in Azure Container App is using the the api-version 2018-02-01 as shown in the error below.

2023-05-01T13:05:58.920Z [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/hashicorp/azurerm\"]" changed the config value, but that value is unused
2023-05-01T13:05:58.921Z [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: Performing GET Request to "http://localhost:42356/msi/token?api-version=2018-02-01&client_id=003873c2-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com": timestamp=2023-05-01T13:05:58.921Z
2023-05-01T13:05:58.921Z [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: GET http://localhost:42356/msi/token?api-version=2018-02-01&client_id=003873c2-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com: timestamp=2023-05-01T13:05:58.921Z
2023-05-01T13:05:58.924Z [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: Reading Body from GET "http://localhost:42356/msi/token?api-version=2018-02-01&client_id=003873c2-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com": timestamp=2023-05-01T13:05:58.923Z
2023-05-01T13:05:58.924Z [ERROR] provider.terraform-provider-azurerm_v3.54.0_x5: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto tf_provider_addr=provider tf_req_id=25930b13-aa7d-85a3-16d2-9f2dc2c91794 tf_rpc=Configure diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://localhost:42356/msi/token' does not support the API version '2018-02-01'.","innerError":null}}" tf_proto_version=5.3 timestamp=2023-05-01T13:05:58.924Z
2023-05-01T13:05:58.924Z [ERROR] vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"]" error: building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://localhost:42356/msi/token' does not support the API version '2018-02-01'.","innerError":null}}
2023-05-01T13:05:58.924Z [INFO]  backend/local: plan operation completed

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://localhost:42356/msi/token' does not support the API version '2018-02-01'.","innerError":null}}
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on provider.tf line 1, in provider "azurerm":1: provider "azurerm" {
│ 
╵
2023-05-01T13:05:58.940Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-05-01T13:05:58.943Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.54.0/linux_amd64/terraform-provider-azurerm_v3.54.0_x5 pid=7848
2023-05-01T13:05:58.943Z [DEBUG] provider: plugin exited

The api-version for authenticating in Azure Container App is 2019-08-01

New or Affected Resource(s)/Data Source(s)

azurerm_resource_group

Potential Terraform Configuration

The api-version called when authenticating using MSI_ENDPOINT will be 2019-08-01

References

No response

@MS-LUF
Copy link

MS-LUF commented Jul 17, 2023

Hello,

I confirm the issue also with the provider AzureAD (last version). From my point of view, the best way to resolve this issue would be to have a dedicated env variable that could be used to customize the API version (ARM_MSI_APIVERSION ?). This is already available for the endpoint itself (ARM_MSI_ENDPOINT), having this new environment variable will keep the same philosophy.

Kind regards,

Lucas.

@kabal2010
Copy link
Author

Thanks @MS-LUF
Can the team please confirm the status of this request? My company is looking to make use of this feature like yesterday and we'll appreciate it if we can get traction on it.

@kabal2010
Copy link
Author

Any update on this request please?

@jrblanno
Copy link

jrblanno commented Nov 6, 2023

hi! we are facing the exact same issue running inside an azure app service.

    # this is required for MSI to work in app service
    - export ARM_USE_MSI=true
    # this parameter is required for MSI to work in app service, it changes the URL from the welll-known http://169.254.169.254/metadata/identity/oauth2/token
    # to the MSI for app service: 'http://169.254.129.5:8081/msi/token'
    # see ISSUE: https://github.com/hashicorp/terraform-provider-azurerm/issues/21616
    # the IDENTITY_ENDPOINT is auto-popoulated from the app service, see : https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Cdotnet#rest-endpoint-reference
    - export ARM_MSI_ENDPOINT=$IDENTITY_ENDPOINT
    # we set the ARM_CLIENT_ID to the client id of the app service ( UMI )

then we just run a simple main.tf :

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.75.0"
    }
  }
  backend "http" {

  }
}

# provider block
provider "azurerm" {
  skip_provider_registration = true 
  features {}
}

# data resource for the current user
data "azurerm_client_config" "current" {}

# resource group , named after the current user id
resource "azurerm_resource_group" "rg" {
  name     = "rg-umi-${data.azurerm_client_config.current.client_id}"
  location = "westeurope"
}

and we get the error:

│ Error: building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://169.254.129.5:8081/msi/token' does not support the API version '2018-02-01'.","innerError":null}}

@mdepedrof
Copy link

mdepedrof commented May 24, 2024

I have the same issue but within Container Apps.

building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: 
{
    "error": {
        "code": "UnsupportedApiVersion",
        "message": "The HTTP resource that matches the request URI 'http://localhost:42356/msi/token' does not support the API version '2018-02-01'.",
        "innerError": null
    }
}

@mdepedrof
Copy link

mdepedrof commented May 27, 2024

Any update on this problem?

I can confirm that whit the version 2019-08-01 we can obtain a token. I get done this making the request manually within a container app:

export API_VERSION="2019-08-01"
export RESPORCE_URI="https://management.azure.com/"
export TOKEN_AUTH_URI="$IDENTITY_ENDPOINT/?api-version=$API_VERSION&resource=$RESPORCE_URI"

curl -s -X GET -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" -H "Secret: $MSI_SECRET" -H "Content-Type: application/json" "$TOKEN_AUTH_URI"

and get this:

{
    "access_token": "eyXXXXXXXX",
    "expires_on": "1716896860",
    "resource": "https://management.azure.com/",
    "token_type": "Bearer",
    "client_id": "XXXXXXX"
}

@kabal2010
Copy link
Author

Any update on this issue?

@vermacodes
Copy link

@kabal2010
Copy link
Author

hashicorp/go-azure-sdk#1093

Nice work @vermacodes.

@vermacodes
Copy link

If this issue is of interest to you, can you please do a thumbs up on the PR that helps maintainers to prioritize the review. Thank you.

Tagging @tombuildsstuff for attention.

PR - hashicorp/go-azure-sdk#1093

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants