Connect-AzAccount -MSI does not work in the Azure Web App SandboxΒ #7876
Description
Hi there π
I work on the PowerShell language worker in Azure Functions.
Description
We are trying to get MSI working with Azure PowerShell so that users will be able to use MSI to authenticate their PowerShell functions. The Azure Functions run in the Azure Web App Sandbox so there are limitations in place for certain network traffic and other things.
Script/Steps for Reproduction
Connect-AzAccount -MSIRun inside of an Azure Function App.
This gives me the following exception:
ERROR: An attempt was made to access a socket in a way forbidden by its access permissions
Exception: An attempt was made to access a socket in a way forbidden by its access permissions Stack: at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at Microsoft.Azure.Commands.Common.Authentication.HttpClientWithRetry.SendAsync(HttpRequestMessage request, CancellationToken token) at Microsoft.Azure.Commands.Common.Authentication.HttpClientOperationsFactory.HttpClientOperations1.SafeSendRequestAsync(HttpRequestMessage request, CancellationToken token) at Microsoft.Azure.Commands.Common.Authentication.HttpClientOperationsFactory.HttpClientOperations1.GetAsync(String requestUri, CancellationToken token) at Microsoft.Azure.Commands.Common.Authentication.ManagedServiceAccessToken.GetOrRenewAuthentication() at Microsoft.Azure.Commands.Common.Authentication.ManagedServiceAccessToken.get_AccessToken() at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action1 promptAction) at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action1 promptAction, String name, Boolean shouldPopulateContextList) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass87_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profileClient, String name) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass89_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client) at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action2 contextAction) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action3 setContextAction) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet() at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__31.b__3_0(T c) at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor) at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet) at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Module Version
Get-Module -ListAvailableModuleType Version Name PSEdition ExportedCommands
---------- ------- ---- --------- ----------------
Script 0.5.0 Az.Aks Core,Desk {Get-AzAks, New-AzAks, Remove-AzAks, Import-AzAks...
Script 0.5.0 Az.AnalysisServices Core,Desk {Resume-AzAnalysisServicesServer, Suspend-AzAnaly...
Script 0.5.0 Az.ApiManagement Core,Desk {Add-AzApiManagementRegion, Get-AzApiManagementSs...
Script 0.5.0 Az.ApplicationInsights Core,Desk {Get-AzApplicationInsights, New-AzApplicationInsi...
Script 0.5.0 Az.Automation Core,Desk {Get-AzAutomationHybridWorkerGroup, Get-AzAutomat...
Script 0.5.0 Az.Batch Core,Desk {Remove-AzBatchAccount, Get-AzBatchAccount, Get-A...
Script 0.5.0 Az.Billing Core,Desk {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-A...
Script 0.5.0 Az.Cdn Core,Desk {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-Az...
Script 0.5.0 Az.CognitiveServices Core,Desk {Get-AzCognitiveServicesAccount, Get-AzCognitiveS...
Script 0.5.0 Az.Compute Core,Desk {Remove-AzAvailabilitySet, Get-AzAvailabilitySet,...
Script 0.5.0 Az.Consumption Core,Desk {Get-AzConsumptionBudget, Get-AzConsumptionMarket...
Script 0.5.0 Az.ContainerInstance Core,Desk {New-AzContainerGroup, Get-AzContainerGroup, Remo...
Script 0.5.0 Az.ContainerRegistry Core,Desk {New-AzContainerRegistry, Get-AzContainerRegistry...
Script 0.5.0 Az.DataLakeAnalytics Core,Desk {Get-AzDataLakeAnalyticsDataSource, New-AzDataLak...
Script 0.5.0 Az.DataLakeStore Core,Desk {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzD...
Script 0.5.0 Az.DevTestLabs Core,Desk {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShut...
Script 0.5.0 Az.Dns Core,Desk {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remov...
Script 0.5.0 Az.EventGrid Core,Desk {New-AzEventGridTopic, Get-AzEventGridTopic, Set-...
Script 0.5.0 Az.EventHub Core,Desk {New-AzEventHubNamespace, Get-AzEventHubNamespace...
Script 0.5.0 Az.Insights Core,Desk {Get-AzMetricDefinition, Get-AzMetric, Remove-AzL...
Script 0.5.0 Az.IotHub Core,Desk {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGro...
Script 0.5.0 Az.KeyVault Core,Desk {Add-AzKeyVaultCertificate, Update-AzKeyVaultCert...
Script 0.5.0 Az.LogicApp Core,Desk {Get-AzIntegrationAccountAgreement, Get-AzIntegra...
Script 0.5.0 Az.MachineLearning Core,Desk {Move-AzMlCommitmentAssociation, Get-AzMlCommitme...
Script 0.5.0 Az.MachineLearningCompute Core,Desk {Get-AzMlOpCluster, Get-AzMlOpClusterKey, Test-Az...
Script 0.5.0 Az.MarketplaceOrdering Core,Desk {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}
Script 0.5.0 Az.Media Core,Desk {Sync-AzMediaServiceStorageKeys, Set-AzMediaServi...
Script 0.5.0 Az.Network Core,Desk {Add-AzApplicationGatewayAuthenticationCertificat...
Script 0.5.0 Az.NotificationHubs Core,Desk {Get-AzNotificationHub, Get-AzNotificationHubAuth...
Script 0.5.0 Az.OperationalInsights Core,Desk {New-AzOperationalInsightsAzureActivityLogDataSou...
Script 0.5.0 Az.PolicyInsights Core,Desk {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPoli...
Script 0.5.0 Az.PowerBIEmbedded Core,Desk {Remove-AzPowerBIWorkspaceCollection, Get-AzPower...
Script 0.5.0 Az.Profile Core,Desk {Disable-AzDataCollection, Disable-AzContextAutos...
Script 0.5.0 Az.RedisCache Core,Desk {Remove-AzRedisCachePatchSchedule, New-AzRedisCac...
Script 0.5.0 Az.Relay Core,Desk {New-AzRelayNamespace, Get-AzRelayNamespace, Set-...
Script 0.5.0 Az.Resources Core,Desk {Get-AzProviderOperation, Remove-AzRoleAssignment...
Script 0.5.0 Az.ServiceBus Core,Desk {New-AzServiceBusNamespace, Get-AzServiceBusNames...
Script 0.5.0 Az.ServiceFabric Core,Desk {Add-AzServiceFabricApplicationCertificate, Add-A...
Script 0.5.1 Az.Sql Core,Desk {Get-AzSqlDatabaseTransparentDataEncryption, Get-...
Script 0.5.0 Az.Storage Core,Desk {Get-AzStorageAccount, Get-AzStorageAccountKey, N...
Script 0.5.0 Az.StreamAnalytics Core,Desk {Get-AzStreamAnalyticsFunction, Get-AzStreamAnaly...
Script 0.5.0 Az.Tags Core,Desk {Remove-AzTag, Get-AzTag, New-AzTag}
Script 0.5.0 Az.TrafficManager Core,Desk {Add-AzTrafficManagerCustomHeaderToEndpoint, Remo...
Script 0.5.0 Az.UsageAggregates Core,Desk Get-UsageAggregates
Script 0.5.0 Az.Websites Core,Desk {Get-AzAppServicePlan, Set-AzAppServicePlan, New-...
Environment Data
$PSVersionTableName Value
---- -----
PSVersion 6.1.0
PSEdition Core
GitCommitId 6.1.0
OS Microsoft Windows 10.0.14393
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Debug Output
Wasn't able to get anything.
Workaround
I have a script that works for now... but really -MSI should work in this scenario.
$apiVersion = "2017-09-01"
$resourceURI = "https://management.azure.com"
$tokenAuthURI = $env:MSI_ENDPOINT + "?resource=$resourceURI&api-version=$apiVersion"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
Connect-AzAccount -AccessToken $accessToken -AccountId $env:WEBSITE_SITE_NAMEInterested parties:
@asavaritayal, @anirudhgarg, @pragnagopa, @fabiocav from the Azure Functions team.
@daxian-dbw, @SteveL-MSFT, @joeyaiello from the PowerShell team