sugibuchi opened a new issue, #4096: URL: https://github.com/apache/arrow-rs/issues/4096
**Describe the bug** The current implementation of `ImdsManagedIdentityOAuthProvider` (for MSI-based authentication in Azure) tries to get tokens from IMDS endpoint by using the default **OIDC scope** (resource ID+permission) of Azure storage service (`https://storage.azure.com/.default`) as query parameter `resource`. https://github.com/apache/arrow-rs/blob/master/object_store/src/azure/credential.rs#L53 https://github.com/apache/arrow-rs/blob/master/object_store/src/azure/credential.rs#L418-L428 ``` const AZURE_STORAGE_SCOPE: &str = "https://storage.azure.com/.default";; /// <-- This is a "scope" ... impl TokenCredential for ImdsManagedIdentityOAuthProvider { /// Fetch a token async fn fetch_token( &self, _client: &Client, retry: &RetryConfig, ) -> Result<TemporaryToken<String>> { let mut query_items = vec![ ("api-version", MSI_API_VERSION), ("resource", AZURE_STORAGE_SCOPE), /// <-- Set "scope" including ".default" ]; ``` However, the value of `resource` must be a **resource ID** without `.default`. You can find a C# code example in the following official document. https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-vm-windows-access-storage#access-data **To Reproduce** Sorry. I cannot directly reproduce this problem since I have no experience in Rust. We identified this problem when we tried to write Delta Lake file by using [Python binding of delta-rs](https://delta-io.github.io/delta-rs/python/api_reference.html#writing-deltatables) which uses Rust `object_store`. ``` deltalake.PyDeltaTableError: Failed to load checkpoint: Failed to read checkpoint content: Generic MicrosoftAzure error: Error authorizing request: Error performing token request: response error "adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://storage.azure.com/.default was not found in the tenant named *****. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: *****\r\nCorrelation ID: *****\r\nTimestamp: 2023-04-17 16:15:01Z","error_codes":[500011],"timestamp":"2023-04-17 16:15:01Z","trace_id":"*****","correlation_id":"*****","error_uri":"https://westeurope.login.microsoft.com/error?code=500011"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=*****&resource=https%3A%2F%2Fstorage.azure.com%2F.default ", after 0 retries: HTTP status client error (403 Forbidden) for url (http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https%3A%2F%2Fstorage.azure.com%2F.default&client_id=*****) ``` We can reproduce the same error by sending requests to IMDS endpoint by using curl. ``` # with ".default" curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=***&resource=https%3A%2F%2Fstorage.azure.com%2F.default"; adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_resource", ... # without ".default" curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=***&resource=https%3A%2F%2Fstorage.azure.com%2F"; {"access_token":"... ``` **Expected behavior** ImdsManagedIdentityOAuthProvider sends request to `http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=*****&resource=https%3A%2F%2Fstorage.azure.com%2F`, without `.default` in query parameter `resource`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
