Can't resolve Keyvault reference in App Config with managed identity #15805
Description
Describe the bug
Resolving a keyvault reference through App Config, with a VM managed identity does not work.
Command Name
az appconfig kv list
Errors:
'MSIAuthenticationWrapper' object has no attribute '_token_retriever'
To Reproduce:
Steps to reproduce the behavior.
- Create a VM with a managed identity
- Create a keyvault, and give VM access policy to get and list secrets
- Create an App Config instance
- Add a keyvault reference, say
testsecret/keyvaultref - From the VM, run
az appconfig kv list --name <appconfig_name> --key 'testsecret/*' --resolve-keyvault
Expected Behavior
The value should be resolved from the keyvault.
Environment Summary
Linux-5.4.0-1031-azure-x86_64-with-debian-buster-sid
Python 3.6.10
Installer: DEB
azure-cli 2.14.0
Additional Context
Stacktrace:
msrestazure.azure_active_directory : MSI: Token retrieved
azure.cli.core.util.handle_exception is called with an exception:
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/appconfig/_kv_helpers.py", line 982, in __resolve_secret
secret_version=kv_identifier.version)
File "/opt/az/lib/python3.6/site-packages/azure/keyvault/v7_0/key_vault_client.py", line 1843, in get_secret
response = self._client.send(request, header_parameters, stream=False, **operation_config)
File "/opt/az/lib/python3.6/site-packages/msrest/service_client.py", line 336, in send
pipeline_response = self.config.pipeline.run(request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/__init__.py", line 197, in run
return first_node.send(pipeline_request, **kwargs) # type: ignore
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/__init__.py", line 150, in send
response = self.next.send(request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/requests.py", line 72, in send
return self.next.send(request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/requests.py", line 137, in send
return self.next.send(request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/__init__.py", line 150, in send
response = self.next.send(request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/requests.py", line 193, in send
self.driver.send(request.http_request, **kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/universal_http/requests.py", line 333, in send
return super(RequestsHTTPSender, self).send(request, **requests_kwargs)
File "/opt/az/lib/python3.6/site-packages/msrest/universal_http/requests.py", line 142, in send
**kwargs)
File "/opt/az/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/opt/az/lib/python3.6/site-packages/requests/sessions.py", line 653, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/opt/az/lib/python3.6/site-packages/requests/hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/keyvault/key_vault_authentication.py", line 146, in _handle_401
security = self._get_message_security(prep, challenge)
File "/opt/az/lib/python3.6/site-packages/azure/keyvault/key_vault_authentication.py", line 172, in _get_message_security
scheme))
File "/opt/az/lib/python3.6/site-packages/azure/keyvault/key_vault_authentication.py", line 61, in _auth_callback_compat
if len(inspect.getargspec(self._user_callback).args) == 3 \
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/appconfig/_kv_helpers.py", line 969, in _get_token
return Profile(cli_ctx=cli_ctx).get_login_credentials(resource)[0]._token_retriever() # pylint: disable=protected-access
AttributeError: 'MSIAuthenticationWrapper' object has no attribute '_token_retriever'