VMSS Azure Auth error

[grahamsk]

Hi,

I'm trying to use the Azure auth backend in conjunction with a VMSS + user assigned managed service identity. Here's what I get when trying:

vault write auth/azure/login role="my-role" \
jwt="$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true | jq -r '.access_token')" \
subscription_id=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2018-10-01" | jq -r '.compute | .subscriptionId') \
resource_group_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-10-01" | jq -r '.compute | .resourceGroupName') \
vmss_name=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2018-10-01" | jq -r '.compute | .vmScaleSetName')


Error writing data to auth/azure/login: Error making API request.

URL: PUT https://vault.redacted.com:8200/v1/auth/azure/login
Code: 500. Errors:

* vmss principal id is empty

Could you please help me to get to the bottom of this?

[pyncc]

Also having this issue though with a single vm (a set of vms sharing the same user-assigned managed service identity).

Comes down to this from what I can tell:

https://github.com/hashicorp/vault-plugin-auth-azure/blob/master/path_login.go#L215

Where this is what that struct looks like:

https://github.com/hashicorp/vault-plugin-auth-azure/blob/master/vendor/github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2017-12-01/compute/models.go#L3610

Which mentions that this is only set by the system.

Not going to propose solutions but may come up with a PR soon.

[grahamsk]

Just as an update - I have reverted back to using a System Assigned MSI until User Assigned MSI's work.

[KealanM]

I started hitting this one as well, do we have any more info on this or possible workarounds? Going by @pyncc comment the Principal ID check is not valid for User assigned MI's.

[ungureanuvladvictor]

Hey folks I think #29 solves this.