Cloud Shell doesn't support user assigned identities (#16946)

Azure · Feb 1, 2022 · af2eedd · af2eedd
1 parent f55e882
commit af2eedd
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/sdk/azidentity/CHANGELOG.md b/sdk/azidentity/CHANGELOG.md
@@ -7,6 +7,8 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+* `ManagedIdentityCredential.GetToken()` now returns an error when configured for
+   a user assigned identity in Azure Cloud Shell (which doesn't support such identities)
 
 ### Other Changes
 

diff --git a/sdk/azidentity/managed_identity_client.go b/sdk/azidentity/managed_identity_client.go
@@ -381,16 +381,17 @@ func (c *managedIdentityClient) createAzureArcAuthRequest(ctx context.Context, k
 }
 
 func (c *managedIdentityClient) createCloudShellAuthRequest(ctx context.Context, id ManagedIDKind, scopes []string) (*policy.Request, error) {
+	if id != nil {
+		msg := "Cloud Shell doesn't support user assigned managed identities. To authenticate the signed in user, omit ManagedIdentityCredentialOptions.ID"
+		return nil, newAuthenticationFailedError(errors.New(msg), nil) //lint:ignore ST1005 Cloud Shell is a proper noun
+	}
 	request, err := runtime.NewRequest(ctx, http.MethodPost, c.endpoint)
 	if err != nil {
 		return nil, err
 	}
 	request.Raw().Header.Set(headerMetadata, "true")
 	data := url.Values{}
 	data.Set("resource", strings.Join(scopes, " "))
-	if id != nil {
-		data.Set(qpClientID, id.String())
-	}
 	dataEncoded := data.Encode()
 	body := streaming.NopCloser(strings.NewReader(dataEncoded))
 	if err := request.SetBody(body, "application/x-www-form-urlencoded"); err != nil {

diff --git a/sdk/azidentity/managed_identity_credential_test.go b/sdk/azidentity/managed_identity_credential_test.go
@@ -164,6 +164,22 @@ func TestManagedIdentityCredential_CloudShell(t *testing.T) {
 	}
 }
 
+func TestManagedIdentityCredential_CloudShellUserAssigned(t *testing.T) {
+	setEnvironmentVariables(t, map[string]string{msiEndpoint: "http://localhost"})
+	for _, id := range []ManagedIDKind{ClientID("client-id"), ResourceID("/resource/id")} {
+		options := ManagedIdentityCredentialOptions{ID: id}
+		msiCred, err := NewManagedIdentityCredential(&options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		_, err = msiCred.GetToken(context.Background(), policy.TokenRequestOptions{Scopes: []string{liveTestScope}})
+		var authErr AuthenticationFailedError
+		if !errors.As(err, &authErr) {
+			t.Fatal("expected AuthenticationFailedError")
+		}
+	}
+}
+
 func TestManagedIdentityCredential_GetTokenInAppServiceV20170901Mock_windows(t *testing.T) {
 	srv, close := mock.NewServer()
 	defer close()