Connect-AzAccount -MSI does not work in the Azure Web App Sandbox

[TylerLeonhardt]

Hi there 👋

I work on the PowerShell language worker in Azure Functions.

Description

We are trying to get MSI working with Azure PowerShell so that users will be able to use MSI to authenticate their PowerShell functions. The Azure Functions run in the Azure Web App Sandbox so there are limitations in place for certain network traffic and other things.

Script/Steps for Reproduction

Connect-AzAccount -MSI

Run inside of an Azure Function App.

This gives me the following exception:

ERROR: An attempt was made to access a socket in a way forbidden by its access permissions
Exception: An attempt was made to access a socket in a way forbidden by its access permissions Stack: at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at Microsoft.Azure.Commands.Common.Authentication.HttpClientWithRetry.SendAsync(HttpRequestMessage request, CancellationToken token) at Microsoft.Azure.Commands.Common.Authentication.HttpClientOperationsFactory.HttpClientOperations1.SafeSendRequestAsync(HttpRequestMessage request, CancellationToken token) at Microsoft.Azure.Commands.Common.Authentication.HttpClientOperationsFactory.HttpClientOperations1.GetAsync(String requestUri, CancellationToken token) at Microsoft.Azure.Commands.Common.Authentication.ManagedServiceAccessToken.GetOrRenewAuthentication() at Microsoft.Azure.Commands.Common.Authentication.ManagedServiceAccessToken.get_AccessToken() at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action1 promptAction) at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action1 promptAction, String name, Boolean shouldPopulateContextList) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass87_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profileClient, String name) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass89_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client) at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action2 contextAction) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action3 setContextAction) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet() at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__31.b__3_0(T c) at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor) at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet) at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()

Module Version

Get-Module -ListAvailable

ModuleType Version    Name                                PSEdition ExportedCommands
---------- -------    ----                                --------- ----------------
Script     0.5.0      Az.Aks                              Core,Desk {Get-AzAks, New-AzAks, Remove-AzAks, Import-AzAks...
Script     0.5.0      Az.AnalysisServices                 Core,Desk {Resume-AzAnalysisServicesServer, Suspend-AzAnaly...
Script     0.5.0      Az.ApiManagement                    Core,Desk {Add-AzApiManagementRegion, Get-AzApiManagementSs...
Script     0.5.0      Az.ApplicationInsights              Core,Desk {Get-AzApplicationInsights, New-AzApplicationInsi...
Script     0.5.0      Az.Automation                       Core,Desk {Get-AzAutomationHybridWorkerGroup, Get-AzAutomat...
Script     0.5.0      Az.Batch                            Core,Desk {Remove-AzBatchAccount, Get-AzBatchAccount, Get-A...
Script     0.5.0      Az.Billing                          Core,Desk {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-A...
Script     0.5.0      Az.Cdn                              Core,Desk {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-Az...
Script     0.5.0      Az.CognitiveServices                Core,Desk {Get-AzCognitiveServicesAccount, Get-AzCognitiveS...
Script     0.5.0      Az.Compute                          Core,Desk {Remove-AzAvailabilitySet, Get-AzAvailabilitySet,...
Script     0.5.0      Az.Consumption                      Core,Desk {Get-AzConsumptionBudget, Get-AzConsumptionMarket...
Script     0.5.0      Az.ContainerInstance                Core,Desk {New-AzContainerGroup, Get-AzContainerGroup, Remo...
Script     0.5.0      Az.ContainerRegistry                Core,Desk {New-AzContainerRegistry, Get-AzContainerRegistry...
Script     0.5.0      Az.DataLakeAnalytics                Core,Desk {Get-AzDataLakeAnalyticsDataSource, New-AzDataLak...
Script     0.5.0      Az.DataLakeStore                    Core,Desk {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzD...
Script     0.5.0      Az.DevTestLabs                      Core,Desk {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShut...
Script     0.5.0      Az.Dns                              Core,Desk {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remov...
Script     0.5.0      Az.EventGrid                        Core,Desk {New-AzEventGridTopic, Get-AzEventGridTopic, Set-...
Script     0.5.0      Az.EventHub                         Core,Desk {New-AzEventHubNamespace, Get-AzEventHubNamespace...
Script     0.5.0      Az.Insights                         Core,Desk {Get-AzMetricDefinition, Get-AzMetric, Remove-AzL...
Script     0.5.0      Az.IotHub                           Core,Desk {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGro...
Script     0.5.0      Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertificate, Update-AzKeyVaultCert...
Script     0.5.0      Az.LogicApp                         Core,Desk {Get-AzIntegrationAccountAgreement, Get-AzIntegra...
Script     0.5.0      Az.MachineLearning                  Core,Desk {Move-AzMlCommitmentAssociation, Get-AzMlCommitme...
Script     0.5.0      Az.MachineLearningCompute           Core,Desk {Get-AzMlOpCluster, Get-AzMlOpClusterKey, Test-Az...
Script     0.5.0      Az.MarketplaceOrdering              Core,Desk {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}
Script     0.5.0      Az.Media                            Core,Desk {Sync-AzMediaServiceStorageKeys, Set-AzMediaServi...
Script     0.5.0      Az.Network                          Core,Desk {Add-AzApplicationGatewayAuthenticationCertificat...
Script     0.5.0      Az.NotificationHubs                 Core,Desk {Get-AzNotificationHub, Get-AzNotificationHubAuth...
Script     0.5.0      Az.OperationalInsights              Core,Desk {New-AzOperationalInsightsAzureActivityLogDataSou...
Script     0.5.0      Az.PolicyInsights                   Core,Desk {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPoli...
Script     0.5.0      Az.PowerBIEmbedded                  Core,Desk {Remove-AzPowerBIWorkspaceCollection, Get-AzPower...
Script     0.5.0      Az.Profile                          Core,Desk {Disable-AzDataCollection, Disable-AzContextAutos...
Script     0.5.0      Az.RedisCache                       Core,Desk {Remove-AzRedisCachePatchSchedule, New-AzRedisCac...
Script     0.5.0      Az.Relay                            Core,Desk {New-AzRelayNamespace, Get-AzRelayNamespace, Set-...
Script     0.5.0      Az.Resources                        Core,Desk {Get-AzProviderOperation, Remove-AzRoleAssignment...
Script     0.5.0      Az.ServiceBus                       Core,Desk {New-AzServiceBusNamespace, Get-AzServiceBusNames...
Script     0.5.0      Az.ServiceFabric                    Core,Desk {Add-AzServiceFabricApplicationCertificate, Add-A...
Script     0.5.1      Az.Sql                              Core,Desk {Get-AzSqlDatabaseTransparentDataEncryption, Get-...
Script     0.5.0      Az.Storage                          Core,Desk {Get-AzStorageAccount, Get-AzStorageAccountKey, N...
Script     0.5.0      Az.StreamAnalytics                  Core,Desk {Get-AzStreamAnalyticsFunction, Get-AzStreamAnaly...
Script     0.5.0      Az.Tags                             Core,Desk {Remove-AzTag, Get-AzTag, New-AzTag}
Script     0.5.0      Az.TrafficManager                   Core,Desk {Add-AzTrafficManagerCustomHeaderToEndpoint, Remo...
Script     0.5.0      Az.UsageAggregates                  Core,Desk Get-UsageAggregates
Script     0.5.0      Az.Websites                         Core,Desk {Get-AzAppServicePlan, Set-AzAppServicePlan, New-...

Environment Data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      6.1.0
PSEdition                      Core
GitCommitId                    6.1.0
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Debug Output

Wasn't able to get anything.

Workaround

I have a script that works for now... but really -MSI should work in this scenario.

$apiVersion = "2017-09-01"
$resourceURI = "https://management.azure.com"
$tokenAuthURI = $env:MSI_ENDPOINT + "?resource=$resourceURI&api-version=$apiVersion"

$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token

Connect-AzAccount -AccessToken $accessToken -AccountId $env:WEBSITE_SITE_NAME

Interested parties:

@asavaritayal, @anirudhgarg, @pragnagopa, @fabiocav from the Azure Functions team.
@daxian-dbw, @SteveL-MSFT, @joeyaiello from the PowerShell team

[TylerLeonhardt]

If you want to DM me on Teams or shoot me an email, we can coordinate a test environment.

[SteveL-MSFT]

cc @markcowl This is a blocking issue for us

[markcowl]

@TylerLeonhardt Nothing has changed in this implementation, so I assume this was always not working in the sandbopx, even for AzureRM. We are just making standard HttpClient SendRequest calls - do you have any insight into the sandbox capabilities around HttpClient?

[daxian-dbw]

@markcowl Here is an overview about the network restrictions applied to the sandbox, I hope it's useful for you to get some insight in what might be the cause.

At the meantime, we found the module Az.Compute cannot be loaded from within the sandbox due to an assembly loading issue with the Microsoft.WindowsAzure.Storage.dll. We believe this is caused by the file system restrictions applied to the sandbox, but yet to figure out what restriction cause what to fail. We are investigating this now.

[daxian-dbw]

@markcowl @vladimir-shcherbakov I think I got to the bottom of this issue. It's because Connect-AzAccount uses incorrect resource and api-version when requesting for the token using the URI from MSI_ENDPOINT (in my case, http://127.0.0.1:41733/MSI/token/). So a BadRequest (400) response is received and HttpClientOperationsFactory.SafeSendRequestAsync moves on to the DefaultBackupMSILoginUri http://localhost:50342/oauth2/token. However, in the WebApp Sandbox, the port 50342 is obviously not permitted, so we got the An attempt was made to access a socket in a way forbidden by its access permissions exception.

When receiving a bad response from the first request (the MSI_ENDPOINT one), a CloudException is created with the following message:

Unexpected response status code 'BadRequest' received for request '{GET http://127.0.0.1:41733/MSI/token/?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01} Body: {Unsupported/Invalid api-version parameter}

As you can see, the request failed because of Unsupported/Invalid api-version parameter.

• We need your help to figure out why the resource or api-version are not right in the WebApp sandbox environment.
• We will also contact the Azure Function team on this, as it's possible that the resource and api-version used in Connect-AzAccount are legit but the MSI in AzF context doesn't support them.

If the mystery about resource and api-version is solved, then the request will succeed at the first attempt and we will never get to the default backup uri that causes the crash.

BTW, the resource and api-version as in resource=https://management.azure.com&api-version=2017-09-01 work fine in the WebApp Sandbox. We can successfully get back a token using the uri in MSI_ENDPOINT and this resource&api-version string.

---

Here are the detailed tracing logs with my annotations to help you understand my tracing:

// Running in ManagedServiceAccessToken's constructor.
// A RequestUri constructed using 'MSILoginUri' is enqueued to Token.RequestUris
CCC ManagedServiceAccessToken() - MSILoginUri CCC : http://127.0.0.1:41733/MSI/token/?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01

// Running in ManagedServiceAccessToken's constructor.
// A RequestUri constructed using 'MSILoginUriBackup' is enqueued to Token.RequestUris
CCC ManagedServiceAccessToken() - MSILoginUriBackup CCC : http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01

// Running in GetOrRenewAuthentication()
// A RequestUri is dequeued, about to call '_tokenGetter.GetAsync'
// This is the first URI, from 'MSI_ENDPOINT'
#-# GetOrRenewAuthentication #-# URI Count: 1, RequestURI <http://127.0.0.1:41733/MSI/token/?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01>

// Running in HttpClientWithRetry.SendAsync(...)
// Logging about the request right before 'await _client.SendAsync(sentRequest, token)'
// This is the first attempt, using the URI from 'MSI_ENDPOINT'
=== Request Logging Start === Request-Hash - 44108964
Method GET; RequestURI <http://127.0.0.1:41733/MSI/token/?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01>

+++ Headers:
    Key: Metadata; Value: true
    Key: Secret; Value: XXXXXXXXXXXXXXXXXXXXXXX

~~~ Content:

=== Request Logging Done ===

// Running in HttpClientWithRetry.SendAsync(...), right after 'await _client.SendAsync(sentRequest, token)'
// Logging about whether we get a response, and the state of the response.
// The response is not successful.
*** 'await _client.SendAsync' Done *** Request-Hash - 44108964; Responce Code 400, Success? False

// Running in HttpClientOperationsFactory.SafeSendRequestAsync(...)
// About to throw exception because of the bad response. Logging of the exception message.
*-* SafeSendRequestAsync *-* ExceptionMessage: Unexpected response status code 'BadRequest' received for request '{GET http://127.0.0.1:41733/MSI/token/?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01} Body: {Unsupported/Invalid api-version parameter}

// Running in GetOrRenewAuthentication()
// The second RequestUri is dequeued, the default backup Uri.
#-# GetOrRenewAuthentication #-# URI Count: 0, RequestURI <http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01>

// Running in HttpClientWithRetry.SendAsync(...)
// This is the second attempt, using the default backup Uri.
=== Request Logging Start === Request-Hash - 43658546
Method GET; RequestURI <http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01>

+++ Headers:
    Key: Metadata; Value: true
    Key: Secret; Value: XXXXXXXXXXXXXXXXXXXXXXXXXX

~~~ Content:

=== Request Logging Done ===

// There is no logging for the response because it crashed with the 'access permission' error.

[pragnagopa]

Cc @mattchenderson @jeffhollan Incase they have context on api version
Used in sandbox

[anirudhgarg]

From here: https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity#using-the-rest-protocol looks like the only supported version for app service MSI is 2017-09-01 so that well maybe the issue here.

Also the http://localhost:50342/oauth2/token endpoint is for the older implementation of MSI in VM's which uses the MSI VM extension which is in the process of getting deprecated so this will obviously not work in the Functions Sandbox.

[vladimir-shcherbakov]

An e-mail sent out to discuss possible ways of fixing the issue.

[spaelling]

I hope you guys can fix this. If I try the workaround

$TenantId = $env:TenantId
$SubscriptionId = $env:SubscriptionId
$AccountId = $env:ApplicationId

$apiVersion = "2017-09-01"
$resourceURI = "https://management.azure.com/"
$tokenAuthURI = $env:MSI_ENDPOINT + "?resource=$resourceURI&api-version=$apiVersion"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
$DefaultProfile = Connect-AzAccount -TenantId $TenantId -AccountId $AccountId -SubscriptionId $SubscriptionId -AccessToken $accessToken -Scope Process

I get an error

2019-01-10T12:13:35.007 [Info] Function started (Id=10077ce8-0f91-4df4-84fa-1d034fde6a8e)
2019-01-10T12:13:37.949 [Info] 12:13:37 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'AccessTokenWithSubscriptionId'.
2019-01-10T12:13:37.949 [Info] 12:13:37 PM - Autosave setting from startup session: 'Process'
2019-01-10T12:13:37.949 [Info] 12:13:37 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
2019-01-10T12:13:37.949 [Info] 12:13:37 PM - Setting Autosave scope to 'Process' as specified in the cmdlet parameters.
2019-01-10T12:13:37.949 [Info] 12:13:37 PM - Using Autosave scope 'Process'
2019-01-10T12:13:37.980 [Error] Connect-AzAccount : Exception has been thrown by the target of an invocation.
at run.ps1: line 26
+ Connect-AzAccount
+ _________________
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], TargetInvocationException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
2019-01-10T12:13:37.980 [Info] AzureQoSEvent: CommandName - Connect-AzAccount; IsSuccess - False; Duration - 00:00:00.0299951; Exception - System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArrayTypeMismatchException: Attempted to access an element as a type incompatible with the array.
   at System.Collections.Generic.List`1.Add(T item)
   at Microsoft.Azure.Internal.Subscriptions.SubscriptionClient.Initialize()
   at Microsoft.Azure.Internal.Subscriptions.SubscriptionClient..ctor(Uri baseUri, ServiceClientCredentials credentials, DelegatingHandler[] handlers)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.ClientFactory.CreateCustomArmClient[TClient](Object[] parameters)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.TryGetTenantSubscription(IAccessToken accessToken, IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, IAzureSubscription& subscription, IAzureTenant& tenant)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass87_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass89_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client)
   at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
2019-01-10T12:13:38.271 [Info] Finish sending metric.
2019-01-10T12:13:38.271 [Info] 12:13:38 PM - ConnectAzureRmAccountCommand end processing.
2019-01-10T12:13:38.271 [Info] 12:13:38 PM - ConnectAzureRmAccountCommand end processing.
2019-01-10T12:13:38.302 [Error] Exception while executing function: Functions.TT_BackupAzureResourceConfig. Microsoft.Azure.WebJobs.Script: PowerShell script error. mscorlib: Exception has been thrown by the target of an invocation. mscorlib: Attempted to access an element as a type incompatible with the array.
2019-01-10T12:13:38.334 [Error] Function completed (Failure, Id=10077ce8-0f91-4df4-84fa-1d034fde6a8e, Duration=3334ms)

Meaning either way I cannot work with the MSI

[markcowl]

Fix released 1/31/2019