Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create federated identity in WSL-ubuntu got invisible char in OIDCURL #26942

Open
dante159753 opened this issue Jul 20, 2023 · 5 comments
Open

create federated identity in WSL-ubuntu got invisible char in OIDCURL #26942

dante159753 opened this issue Jul 20, 2023 · 5 comments
Assignees
@zhoxing-ms
Labels
AKS az aks/acs/openshift ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team bug This issue requires a change to an existing behavior in the product in order to be resolved. Managed Identity For `az identity` only needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team.
Milestone
Backlog

Comments

@dante159753
Copy link

Describe the bug

when create federated identity in wsl using az cli from windows, it insert invisible '\r' into OIDCUrl, makes the auth failed with 70021

Related command

INFRA_UAI_NAME="yz-image-mgmt07-uai"
INFRA_UAI_RG="yz-image-mgmt07-rg"
MGMT_RG="rpaas061901"
MGMT_NAME="rpaas061901"

az account set -s "ASZ_HybridAKS_Dev"
echo "load AKS_OIDC_ISSUER from mgmt aks"
AKS_OIDC_ISSUER="$(az aks show -n $MGMT_NAME -g $MGMT_RG --query "oidcIssuerProfile.issuerUrl" -otsv)"
echo "AKS_OIDC_ISSUER=${AKS_OIDC_ISSUER}"

az account set -s "ASZ_HybridAKS_POC_dev"
INFRA_UAI_FED_IMAGE_NAME="yztestfedid"
IMAGE_ACCOUNT_SUBJECT="system:serviceaccount:image-mgmt:image-mgmt-controller-manager"
az identity federated-credential create \
  --name "${INFRA_UAI_FED_IMAGE_NAME}" \
  --identity-name "${INFRA_UAI_NAME}" \
  --resource-group "${INFRA_UAI_RG}" \
  --issuer "${AKS_OIDC_ISSUER}" \
  --subject "${IMAGE_ACCOUNT_SUBJECT}" \
  --audience api://AzureADTokenExchange

Errors


load AKS_OIDC_ISSUER from mgmt aks
AKS_OIDC_ISSUER=https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/
{
  "audiences": [
    "api://AzureADTokenExchange"
  ],
  "id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
  "issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
  "name": "yztestfedid",
  "resourceGroup": "yz-image-mgmt07-rg",
  "subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
  "systemData": null,
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

Issue script & Debug output

$ az identity federated-credential create --name "${INFRA_UAI_FED_IMAGE_NAME}" --identity-name "${INFRA_UAI_NAME}" --resource-group "${INFRA_UAI_RG}" --issuer "${AKS_OIDC_ISSUER}" --subject "${IMAGE_ACCOUNT_SUBJECT}" --audience api://AzureADTokenExchange --debug
cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'yztestfedid', '--identity-nam
e', 'yz-image-mgmt07-uai', '--resource-group', 'yz-image-mgmt07-rg', '--issuer', 'https://eastus.oic.prod-aks.azure.com/7
2f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r', '--subject', 'system:serviceaccount:image-m
gmt:image-mgmt-controller-manager', '--audience', 'api://AzureADTokenExchange', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x019CB460>, <fu
nction OutputProducer.on_global_arguments at 0x01CFD6A0>, <function CLIQuery.on_global_arguments at 0x01D182F8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: identity 0.008 2 11
cli.azure.cli.core: Total (1) 0.008 2 11
cli.azure.cli.core: Loaded 2 groups, 11 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : identity federated-credential create
cli.azure.cli.core: Command table: identity federated-credential create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03D
CB460>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\wangya.azure\commands\2023-07-19
.19-45-56.identity_federated-credential_create.15236.log'.
az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group
{} --issuer {} --subject {} --audience {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subs
cription_parameter at 0x03E18898>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments
at 0x03E18A48>, <function register_cache_arguments..add_cache_arguments at 0x03E18AD8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01CFD6E8>, <fu
nction CLIQuery.handle_query_parameter at 0x01D18340>, <function register_ids_argument..parse_ids_arguments at 0x
03E18A90>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ManagedServiceIdentityClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\wangya\.azure\msal_token_cache.bin', encry
pt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\wangya.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db4
7/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_b
asic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'respon
se_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_v
alues_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes
_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1
-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.co
m/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth
2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db
47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint':
'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub',
'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat',
'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoin
t': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'clou
d_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.c
om', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.d
efault',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.def
ault',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 8507bda4-0bad-49f2-ad5a-af168137618c
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3
292f6/resourceGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/fe
deratedIdentityCredentials/yztestfedid?api-version=2023-01-31'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '266'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8d69a198-26a7-11ee-b394-00155d349f00'
cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --au
dience --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.50.0 azsdk-python-azure-mgmt-msi/7.0.0 Python/3.10.10 (Win
dows-10-10.0.19045-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab
-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controlle
r-manager", "audiences": ["api://AzureADTokenExchange"]}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourc
eGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdenti
tyCredentials/yztestfedid?api-version=2023-01-31 HTTP/1.1" 201 581
cli.azure.cli.core.sdk.policies: Response status: 201
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '581'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Location': '/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-i
mage-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredential
s/yztestfedid'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20230720T024558Z:9760f3cf-2e3e-426f-a8de-38992a6f
f858'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 20 Jul 2023 02:45:58 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt0
7-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfe
did","name":"yztestfedid","type":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials","propert
ies":{"issuer":"https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b
08af4d/\r","subject":"system:serviceaccount:image-mgmt:image-mgmt-controller-manager","audiences":["api://AzureADTokenExc
hange"]}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x03DF0C88>, <function _x5
09_from_base64_to_hex_transform at 0x03DF0CD0>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"audiences": [
"api://AzureADTokenExchange"
],
"id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
"name": "yztestfedid",
"resourceGroup": "yz-image-mgmt07-rg",
"subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
"systemData": null,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03DCB580>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.519 seconds (init: 0.688, invoke: 1.831)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3378 in cache
telemetry.check: Negative: The C:\Users\wangya.azure\telemetry.txt was modified at 2023-07-19 19:43:05.626410, which in
less than 600.000000 s

Expected behavior

do not insert \r into oidcUrl

Environment Summary

az --version
azure-cli 2.50.0

core 2.50.0
telemetry 1.0.8

Dependencies:
msal 1.22.0
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\wangya.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response
@dante159753 dante159753 added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jul 20, 2023
@ghost ghost added AKS az aks/acs/openshift CXP Attention This issue is handled by CXP team. Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Jul 20, 2023
@ghost ghost assigned zhoxing-ms Jul 20, 2023
@ghost ghost added this to the Backlog milestone Jul 20, 2023
@ghost ghost added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Managed Identity For `az identity` only labels Jul 20, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Jul 20, 2023

Thank you for opening this issue, we will look into it.

@navba-MSFT navba-MSFT added Service Attention This issue is responsible by Azure service team. needs-team-attention This issue needs attention from Azure service team or SDK team and removed CXP Attention This issue is handled by CXP team. labels Jul 20, 2023
@ghost
Copy link

ghost commented Jul 20, 2023

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

Issue Details

Describe the bug

when create federated identity in wsl using az cli from windows, it insert invisible '\r' into OIDCUrl, makes the auth failed with 70021

Related command

INFRA_UAI_NAME="yz-image-mgmt07-uai"
INFRA_UAI_RG="yz-image-mgmt07-rg"
MGMT_RG="rpaas061901"
MGMT_NAME="rpaas061901"

az account set -s "ASZ_HybridAKS_Dev"
echo "load AKS_OIDC_ISSUER from mgmt aks"
AKS_OIDC_ISSUER="$(az aks show -n $MGMT_NAME -g $MGMT_RG --query "oidcIssuerProfile.issuerUrl" -otsv)"
echo "AKS_OIDC_ISSUER=${AKS_OIDC_ISSUER}"

az account set -s "ASZ_HybridAKS_POC_dev"
INFRA_UAI_FED_IMAGE_NAME="yztestfedid"
IMAGE_ACCOUNT_SUBJECT="system:serviceaccount:image-mgmt:image-mgmt-controller-manager"
az identity federated-credential create \
  --name "${INFRA_UAI_FED_IMAGE_NAME}" \
  --identity-name "${INFRA_UAI_NAME}" \
  --resource-group "${INFRA_UAI_RG}" \
  --issuer "${AKS_OIDC_ISSUER}" \
  --subject "${IMAGE_ACCOUNT_SUBJECT}" \
  --audience api://AzureADTokenExchange

Errors


load AKS_OIDC_ISSUER from mgmt aks
AKS_OIDC_ISSUER=https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/
{
  "audiences": [
    "api://AzureADTokenExchange"
  ],
  "id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
  "issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
  "name": "yztestfedid",
  "resourceGroup": "yz-image-mgmt07-rg",
  "subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
  "systemData": null,
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

Issue script & Debug output

$ az identity federated-credential create --name "${INFRA_UAI_FED_IMAGE_NAME}" --identity-name "${INFRA_UAI_NAME}" --resource-group "${INFRA_UAI_RG}" --issuer "${AKS_OIDC_ISSUER}" --subject "${IMAGE_ACCOUNT_SUBJECT}" --audience api://AzureADTokenExchange --debug
cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'yztestfedid', '--identity-nam
e', 'yz-image-mgmt07-uai', '--resource-group', 'yz-image-mgmt07-rg', '--issuer', 'https://eastus.oic.prod-aks.azure.com/7
2f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r', '--subject', 'system:serviceaccount:image-m
gmt:image-mgmt-controller-manager', '--audience', 'api://AzureADTokenExchange', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x019CB460>, <fu
nction OutputProducer.on_global_arguments at 0x01CFD6A0>, <function CLIQuery.on_global_arguments at 0x01D182F8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: identity 0.008 2 11
cli.azure.cli.core: Total (1) 0.008 2 11
cli.azure.cli.core: Loaded 2 groups, 11 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : identity federated-credential create
cli.azure.cli.core: Command table: identity federated-credential create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03D
CB460>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\wangya.azure\commands\2023-07-19
.19-45-56.identity_federated-credential_create.15236.log'.
az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group
{} --issuer {} --subject {} --audience {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subs
cription_parameter at 0x03E18898>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments
at 0x03E18A48>, <function register_cache_arguments..add_cache_arguments at 0x03E18AD8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01CFD6E8>, <fu
nction CLIQuery.handle_query_parameter at 0x01D18340>, <function register_ids_argument..parse_ids_arguments at 0x
03E18A90>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ManagedServiceIdentityClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\wangya\.azure\msal_token_cache.bin', encry
pt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\wangya.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db4
7/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_b
asic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'respon
se_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_v
alues_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes
_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1
-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.co
m/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth
2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db
47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint':
'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub',
'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat',
'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoin
t': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'clou
d_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.c
om', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.d
efault',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.def
ault',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 8507bda4-0bad-49f2-ad5a-af168137618c
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3
292f6/resourceGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/fe
deratedIdentityCredentials/yztestfedid?api-version=2023-01-31'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '266'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8d69a198-26a7-11ee-b394-00155d349f00'
cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --au
dience --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.50.0 azsdk-python-azure-mgmt-msi/7.0.0 Python/3.10.10 (Win
dows-10-10.0.19045-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab
-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controlle
r-manager", "audiences": ["api://AzureADTokenExchange"]}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourc
eGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdenti
tyCredentials/yztestfedid?api-version=2023-01-31 HTTP/1.1" 201 581
cli.azure.cli.core.sdk.policies: Response status: 201
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '581'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Location': '/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-i
mage-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredential
s/yztestfedid'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20230720T024558Z:9760f3cf-2e3e-426f-a8de-38992a6f
f858'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 20 Jul 2023 02:45:58 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt0
7-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfe
did","name":"yztestfedid","type":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials","propert
ies":{"issuer":"https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b
08af4d/\r","subject":"system:serviceaccount:image-mgmt:image-mgmt-controller-manager","audiences":["api://AzureADTokenExc
hange"]}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x03DF0C88>, <function _x5
09_from_base64_to_hex_transform at 0x03DF0CD0>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"audiences": [
"api://AzureADTokenExchange"
],
"id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
"name": "yztestfedid",
"resourceGroup": "yz-image-mgmt07-rg",
"subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
"systemData": null,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03DCB580>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.519 seconds (init: 0.688, invoke: 1.831)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3378 in cache
telemetry.check: Negative: The C:\Users\wangya.azure\telemetry.txt was modified at 2023-07-19 19:43:05.626410, which in
less than 600.000000 s

Expected behavior

do not insert \r into oidcUrl

Environment Summary

az --version
azure-cli 2.50.0

core 2.50.0
telemetry 1.0.8

Dependencies:
msal 1.22.0
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\wangya.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

Author: dante159753
Assignees: zhoxing-ms
Labels:

bug, Service Attention, question, AKS, ARM, Managed Identity, needs-team-attention, Auto-Assign, Azure CLI Team
Milestone: Backlog

@navba-MSFT
Copy link
Contributor

Adding Service team to look into this.

@bebound
Copy link
Contributor

bebound commented Jul 20, 2023
edited
Loading

Duplicate of #13573.

You need to install a Linux CLI package instead of calling windows one. see #13573 (comment)

@RamyaElangovanP
Copy link

Can this be assigned to AKS team. Looks like the issue URL is obtained from AKS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhoxing-ms zhoxing-ms

Labels
AKS az aks/acs/openshift ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team bug This issue requires a change to an existing behavior in the product in order to be resolved. Managed Identity For `az identity` only needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
6 participants
@bebound @dante159753 @zhoxing-ms @yonzhan @navba-MSFT @RamyaElangovanP