tahaum opened a new issue, #4976: URL: https://github.com/apache/arrow-rs/issues/4976
It seems like ImdsManagedIdentityProvider assumes one is running in a Azure VM, even though [comments ](https://github.com/apache/arrow-rs/blame/03d0505fc864c09e6dcd208d3cdddeecefb90345/object_store/src/azure/credential.rs#L385) indicate that it is intended to also work in Azure functions. We see it when running ```python from deltalake import DeltaTable account_name = "..." delta_path = "az://..." DeltaTable(delta_path, storage_options={"account_name": account_name}) ``` (using the [delta-rs](https://github.com/delta-io/delta-rs) package) in an Azure Function. Then we're getting the following error: > Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python3.9/site-packages/deltalake/table.py", line 250, in __init__ self._table = RawDeltaTable( OSError: Generic MicrosoftAzure error: Error performing token request: response error "request error", after 10 retries: error sending request for url (http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https%3A%2F%2Fstorage.azure.com): error trying to connect: tcp connect error: Connection refused (os error 111) It looks like the endpoint set here does not work for Azure Functions, but Azure VMs (and other resource types?): https://github.com/apache/arrow-rs/blob/03d0505fc864c09e6dcd208d3cdddeecefb90345/object_store/src/azure/credential.rs#L404 If we set the `msi_endpoint` in the storage_options explicitly using the IDENTITY_ENDPOINT environment variable found in the Azure Function we instead get the following error: > OSError: Generic MicrosoftAzure error: Error getting token response body: error decoding response body: missing field `expires_in` at line 1 column 1641 Our hypothesis is that this is caused by https://github.com/apache/arrow-rs/blame/03d0505fc864c09e6dcd208d3cdddeecefb90345/object_store/src/azure/credential.rs#L463 and the assumption that the token responses looks like this: ```json { "access_token": "TOKEN", "refresh_token": "", "expires_in": "3599", "expires_on": "1506484173", "not_before": "1506480273", "resource": "https://management.azure.com/";, "token_type": "Bearer" } ``` In reality, the responses we get from the $IDENTITY_ENDPOINT looks like this (notice the absence of `expires_in`): ```json { "access_token": "TOKEN", "expires_on": "1698150006", "resource": "https://storage.azure.com";, "token_type": "Bearer", "client_id": "..." } ``` MSI in azure functions documentation: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#connect-to-azure-services-in-app-code Related: https://github.com/delta-io/delta-rs/issues/662 Maintainer (?) of relevant code: @roeap -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
