Related command
az login --identity
any az command
Describe the bug
I run az commands in Azure VM with managed identity enabled. I log into cli using "az login --identity".
After login, I noticed all az commands always tried to connect "http://169.254.169.254/metadata/identity/oauth2/token" to get ARM token when the corresponding code tried to query ARM resource. I'd expect CLI could cache the ARM token and tried to reuse it if possible. I shared one debug output as below. As you can also see, after the token request, it mentioned "MSI: token is found in cache". If the token could be found, why the code didn't check it at first place?
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 200 1739
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
msrestazure.azure_active_directory: MSI: Token retrieved
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msrestazure.azure_active_directory: MSI: token is found in cache.
cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1663545077' -> 1663545077
To Reproduce
- set up an Azure VM with manage identity enabled
- install the latest azure-cli
- az login --identity
- run any az command to get the resources a few times like
az vmss list --debug
az storage list --debug
az acr list --debug
Expected behavior
ARM token is cached and reused if not expired.
Environment summary
CLI: 2.40.0
Azure VM with manage identity enabled
Related command
az login --identity
any az command
Describe the bug
I run az commands in Azure VM with managed identity enabled. I log into cli using "az login --identity".
After login, I noticed all az commands always tried to connect "http://169.254.169.254/metadata/identity/oauth2/token" to get ARM token when the corresponding code tried to query ARM resource. I'd expect CLI could cache the ARM token and tried to reuse it if possible. I shared one debug output as below. As you can also see, after the token request, it mentioned "MSI: token is found in cache". If the token could be found, why the code didn't check it at first place?
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 200 1739
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
msrestazure.azure_active_directory: MSI: Token retrieved
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msrestazure.azure_active_directory: MSI: token is found in cache.
cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1663545077' -> 1663545077
To Reproduce
az vmss list --debug
az storage list --debug
az acr list --debug
Expected behavior
ARM token is cached and reused if not expired.
Environment summary
CLI: 2.40.0
Azure VM with manage identity enabled