Authenticate a python application in VM with Managed Service Identity(MSI)

Question

I am trying to use MSI example provided in below link :

https://learn.microsoft.com/en-us/python/azure/python-sdk-azure-authenticate?view=azure-python#mgmt-auth-msi

To do that, I created a linux VM , installed MSI extension on it and running above code in a python application and when I run that python application I get the following error:

[azureuser@vish-redhat ~]$ python msi-auth.py 
No handlers could be found for logger "msrestazure.azure_active_directory"
Traceback (most recent call last):
  File "msi-auth.py", line 10, in <module>
    subscription = next(subscription_client.subscriptions.list())
  File "/usr/lib/python2.7/site-packages/msrest/paging.py", line 121, in __next__
    self.advance_page()
  File "/usr/lib/python2.7/site-packages/msrest/paging.py", line 107, in advance_page
    self._response = self._get_next(self.next_link)
  File "/usr/lib/python2.7/site-packages/azure/mgmt/resource/subscriptions/v2016_06_01/operations/subscriptions_operations.py", line 207, in internal_paging
    request, header_parameters, **operation_config)
  File "/usr/lib/python2.7/site-packages/msrest/service_client.py", line 191, in send
    session = self.creds.signed_session()
  File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 685, in signed_session
    self.set_token()
  File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 681, in set_token
    self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
  File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 590, in get_msi_token
    result = requests.post(request_uri, data=payload, headers={'Metadata': 'true'})
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 108, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
[azureuser@vish-redhat ~]$ 

Code:

from msrestazure.azure_active_directory import MSIAuthentication
from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient

# Create MSI Authentication
credentials = MSIAuthentication()


# Create a Subscription Client
subscription_client = SubscriptionClient(credentials)
subscription = next(subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id

# Create a Resource Management client
resource_client = ResourceManagementClient(credentials, subscription_id)


# List resource groups as an example. The only limit is what role and policy are assigned to this MSI token.
for resource_group in resource_client.resource_groups.list():
    print(resource_group.name)

Answer 1

A connection error is usually because the extension is not yet available. You can try if the extension is available using the CLI with az login --msi

https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/how-to-use-vm-sign-in

If it works, your VM is created correctly with MSI support. It it doesn't, probably your extension is not configured correctly.

Note that we changed the way to get a token with MSI from inside a VM. We now use IMDS: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

Starting with the next release of the CLI (the first one of April 2018), CLI will authenticate with IMDS directly and not use the VM extension anymore. This is already shipped in the underlying library msrestazure in its 0.4.25 version. This one will bypass completely your VM extension to use IMDS and is the prefered scenario now. Could you try with this version of msrestazure? If it works with 0.4.25 but not in 0.4.24, this likely means your VM extension is not installed correctly, but you don't care since it's a deprecated scenario :)

Note that in order to get a token, your VM doesn't need any special permissions or ownership of subscription. However, for this token to be useful you need it :). But since your error is related to the "get a token" part and not permission, I would just kindly suggest that you might need this complementary info for later if you have permissions issues:

https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/howto-assign-access-cli

(full disclosure, I work at MS in the SDK/CLI team and wrote the MSI support)

Answer 2

You need install Python SDK in your Linux VM. Please refer to this official document.

pip install azure

Also, you need give Owner role for your VM on subscription level.

More information about this please refer to this link.

Now, you could use this code to test on VM. I test in my lab, it works for me.

Note: You need modify resource_client = ResourceManagementClient(credentials, subscription_id) to resource_client = ResourceManagementClient(credentials, str(subscription_id)), it requires a string type.