VMSSH with managed identity

[millanie]

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Line 620 in 4a8879f

def get_msal_token(self, scopes, data):

After MSAL adopted completely, would it be available with Managed Identity for VMSSH?
If yes, when would it be possible?

• Login with MI : az login -i -u /subscriptions/{subscription id}/resourceGroups/{resource group}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{myMI}
• Command : az ssh cert --public-key-file ./test.pub
• Error : VM SSH currently doesn't support managed identity or Cloud Shell.
  

  azure-cli/src/azure-cli-core/azure/cli/core/auth/adal_authentication.py

  Line 22 in 2e0a42f

  from azure.cli.core.azclierror import AuthenticationError

[ghost]

Thank you for your feedback. This has been routed to the support team for assistance.

[yonzhan]

route to CXP team

[ozbillwang]

I saw this error when run az cli via Cloud Shell.

$ az ssh vm --ip <IP> --port 22
VM SSH currently doesn't support managed identity or Cloud Shell

But I am fine to run it from my own mac book to a virtual machine, which is managed identity enabled.

Could you support this feature in Cloud Shell as well?

Use case:

We need this feature because normally team members have no permission to install az cli on their laptops (need administrator permission, to get the admin permission, we need raise approval process, it's annoying). So we have to use Cloud Shell to run theses commands.

debug logs for your reference:

az_command_data_logger: extension name: ssh
az_command_data_logger: extension version: 1.0.0
cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -f /tmp/aadsshcertr81fle8e/id_rsa -t rsa -q -N 
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 7469
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'}
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token invoked by Track 2 SDK with scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',)
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 658, in execute
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 721, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 692, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 328, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.6/site-packages/azure-cli-extensions/ssh/azext_ssh/custom.py", line 29, in ssh_vm
    local_user, cert_file, credentials_folder, op_call)
  File "/opt/az/lib/python3.6/site-packages/azure-cli-extensions/ssh/azext_ssh/custom.py", line 93, in _do_ssh_op
    cert_file, username = _get_and_write_certificate(cmd, public_key_file, None)
  File "/opt/az/lib/python3.6/site-packages/azure-cli-extensions/ssh/azext_ssh/custom.py", line 122, in _get_and_write_certificate
    certificatedata = credential.get_token(*scopes, data=data)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/auth/adal_authentication.py", line 23, in get_token
    raise AuthenticationError("VM SSH currently doesn't support managed identity or Cloud Shell.")
azure.cli.core.azclierror.AuthenticationError: VM SSH currently doesn't support managed identity or Cloud Shell.

cli.azure.cli.core.azclierror: VM SSH currently doesn't support managed identity or Cloud Shell.
az_command_data_logger: VM SSH currently doesn't support managed identity or Cloud Shell.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fb91fe417b8>]

[jiasli]

@millanie, you can see from the source code that currently "VM SSH currently doesn't support managed identity or Cloud Shell":

azure-cli/src/azure-cli-core/azure/cli/core/auth/adal_authentication.py

Lines 21 to 23 in 2e0a42f

	if 'data' in kwargs:
	from azure.cli.core.azclierror import AuthenticationError
	raise AuthenticationError("VM SSH currently doesn't support managed identity or Cloud Shell.")

This is because managed identity service itself doesn’t support VM SSH. Azure Cloud Shell is using managed identity underneath. We are working on it with corresponding service teams.

@ozbillwang, for Cloud Shell, there is a workaround: you may manually run az login (--service-principal) in Cloud Shell and Cloud Shell will run under a user or service principal context (not Cloud Shell context), and VM SSH should work.

[ozbillwang]

Thanks @jiasli

The workaround works.

[millanie]

Thanks, @jiasli
Is there an estimated date to support the managed identity?

[Sumtin]

Part of the confusion may stem from this direction in the Portal:

[jiasli]

Part of the confusion may stem from this direction in the Portal:

@SanDeo-MSFT, I think Azure Portal shouldn't show this before this feature is ready.

[navba-MSFT]

@millanie I am checking with the product owners on the plans in roadmap for the support for VMSSH with managed identity. I will update this thread once I have that information. In the meantime, if you have any questions, please feel free to ask.

[navba-MSFT]

@millanie Regarding the error message, We already have 2 issues opened for the same #22057 and #22063. The CLI team is currently working on the SSH support in Cloud Shell. We don't have any ETA for the fix. Please track these issues for the progress of the release. Until then you can follow the workaround suggested here. We will now proceed with the closure of this issue. Feel free to reopen this issue if you need any further assistance on this.

[svrooij]

Part of the confusion may stem from this direction in the Portal:

@SanDeo-MSFT, I think Azure Portal shouldn't show this before this feature is ready.

The portal is showing this message for over a year now, so removing it days before this finally get implemented seems strange. But since this message is still shown on the portal and it still doesn't work I think this issue should be re-opened @navba-MSFT what do you think?

[rayluo]

Part of the confusion may stem from this direction in the Portal:

@SanDeo-MSFT, I think Azure Portal shouldn't show this before this feature is ready.

The portal is showing this message for over a year now, so removing it days before this finally get implemented seems strange. But since this message is still shown on the portal and it still doesn't work I think this issue should be re-opened @navba-MSFT what do you think?

The az ssh vm ... command has long been supported, in two different ways, which might be the source of confusion.

1. Run az login ... and then az ssh vm ... on your local machine which already has Azure CLI installed. So I guess this is corresponding to that "1. Install Azure CLI..." guidance.

2. STILL need to run az login ... explicitly, and then az ssh vm ..., but them inside Cloud Shell in Azure Portal. This is corresponding to that "... or open Cloud Shell in Azure Portal" guidance. In other words, Cloud Shell just gives you a pre-installed Azure CLI so that you won't have to install it locally, but, in my opinion, the guidance failed to remind end user that the az login would still be necessary. When that leading az login ... was not run, Azure CLI seemingly emits this error:

   $ az ssh vm --ip <IP> --port 22
   VM SSH currently doesn't support managed identity or Cloud Shell
   

   which isn't accurate, therefore contribute to the confusion.

FWIW, recently we worked on a new mechanism to allow skipping that "az login ..." when running inside Cloud Shell (although I don't exactly know when they will be shipped). So, at this point, the Portal guidance "... or open Cloud Shell in Azure Portal" ended up becoming correct again (or soon). I would suggest the affected user to rerun the "az ssh vm ..." from inside Cloud Shell, and see if it works and/or the error message makes sense.

CC: @SanDeo-MSFT , @jiasli

[Peder2911]

@navba-MSFT , it has been two years, any update on VM SSH for managed identities?

[Shay-commits]

Is there a plan to work on this feature

[svrooij]

And maybe re-open this issue until fixed @navba-MSFT @jiasli

[svrooij]

@yonzhan the issue is still closed even though you changed the labels

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Drewm3, @TravisCragg-MSFT, @nikhilpatel909, @sandeepraichura, @hilaryw29, @GabstaMSFT, @ramankumarlive, @ushnaarshadkhan.

[TravisCragg-MSFT]

Moving this as a feature request to the MSAL team.