diff --git a/sdk/azidentity/CHANGELOG.md b/sdk/azidentity/CHANGELOG.md index 897b67d64bce..4a2e32f71eba 100644 --- a/sdk/azidentity/CHANGELOG.md +++ b/sdk/azidentity/CHANGELOG.md @@ -7,6 +7,8 @@ ### Breaking Changes ### Bugs Fixed +* `ManagedIdentityCredential.GetToken()` now returns an error when configured for + a user assigned identity in Azure Cloud Shell (which doesn't support such identities) ### Other Changes diff --git a/sdk/azidentity/managed_identity_client.go b/sdk/azidentity/managed_identity_client.go index 40b594de08f4..f9292c464da1 100644 --- a/sdk/azidentity/managed_identity_client.go +++ b/sdk/azidentity/managed_identity_client.go @@ -381,6 +381,10 @@ func (c *managedIdentityClient) createAzureArcAuthRequest(ctx context.Context, k } func (c *managedIdentityClient) createCloudShellAuthRequest(ctx context.Context, id ManagedIDKind, scopes []string) (*policy.Request, error) { + if id != nil { + msg := "Cloud Shell doesn't support user assigned managed identities. To authenticate the signed in user, omit ManagedIdentityCredentialOptions.ID" + return nil, newAuthenticationFailedError(errors.New(msg), nil) //lint:ignore ST1005 Cloud Shell is a proper noun + } request, err := runtime.NewRequest(ctx, http.MethodPost, c.endpoint) if err != nil { return nil, err @@ -388,9 +392,6 @@ func (c *managedIdentityClient) createCloudShellAuthRequest(ctx context.Context, request.Raw().Header.Set(headerMetadata, "true") data := url.Values{} data.Set("resource", strings.Join(scopes, " ")) - if id != nil { - data.Set(qpClientID, id.String()) - } dataEncoded := data.Encode() body := streaming.NopCloser(strings.NewReader(dataEncoded)) if err := request.SetBody(body, "application/x-www-form-urlencoded"); err != nil { diff --git a/sdk/azidentity/managed_identity_credential_test.go b/sdk/azidentity/managed_identity_credential_test.go index e3b21bebdeaf..2d56d70cd152 100644 --- a/sdk/azidentity/managed_identity_credential_test.go +++ b/sdk/azidentity/managed_identity_credential_test.go @@ -164,6 +164,22 @@ func TestManagedIdentityCredential_CloudShell(t *testing.T) { } } +func TestManagedIdentityCredential_CloudShellUserAssigned(t *testing.T) { + setEnvironmentVariables(t, map[string]string{msiEndpoint: "http://localhost"}) + for _, id := range []ManagedIDKind{ClientID("client-id"), ResourceID("/resource/id")} { + options := ManagedIdentityCredentialOptions{ID: id} + msiCred, err := NewManagedIdentityCredential(&options) + if err != nil { + t.Fatal(err) + } + _, err = msiCred.GetToken(context.Background(), policy.TokenRequestOptions{Scopes: []string{liveTestScope}}) + var authErr AuthenticationFailedError + if !errors.As(err, &authErr) { + t.Fatal("expected AuthenticationFailedError") + } + } +} + func TestManagedIdentityCredential_GetTokenInAppServiceV20170901Mock_windows(t *testing.T) { srv, close := mock.NewServer() defer close()