Skip to content

create federated identity in WSL-ubuntu got invisible char in OIDCURL #26942

Description

@dante159753

Describe the bug

when create federated identity in wsl using az cli from windows, it insert invisible '\r' into OIDCUrl, makes the auth failed with 70021

Related command

INFRA_UAI_NAME="yz-image-mgmt07-uai"
INFRA_UAI_RG="yz-image-mgmt07-rg"
MGMT_RG="rpaas061901"
MGMT_NAME="rpaas061901"

az account set -s "ASZ_HybridAKS_Dev"
echo "load AKS_OIDC_ISSUER from mgmt aks"
AKS_OIDC_ISSUER="$(az aks show -n $MGMT_NAME -g $MGMT_RG --query "oidcIssuerProfile.issuerUrl" -otsv)"
echo "AKS_OIDC_ISSUER=${AKS_OIDC_ISSUER}"

az account set -s "ASZ_HybridAKS_POC_dev"
INFRA_UAI_FED_IMAGE_NAME="yztestfedid"
IMAGE_ACCOUNT_SUBJECT="system:serviceaccount:image-mgmt:image-mgmt-controller-manager"
az identity federated-credential create \
  --name "${INFRA_UAI_FED_IMAGE_NAME}" \
  --identity-name "${INFRA_UAI_NAME}" \
  --resource-group "${INFRA_UAI_RG}" \
  --issuer "${AKS_OIDC_ISSUER}" \
  --subject "${IMAGE_ACCOUNT_SUBJECT}" \
  --audience api://AzureADTokenExchange

Errors


load AKS_OIDC_ISSUER from mgmt aks
AKS_OIDC_ISSUER=https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/
{
  "audiences": [
    "api://AzureADTokenExchange"
  ],
  "id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
  "issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
  "name": "yztestfedid",
  "resourceGroup": "yz-image-mgmt07-rg",
  "subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
  "systemData": null,
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

Issue script & Debug output

$ az identity federated-credential create --name "${INFRA_UAI_FED_IMAGE_NAME}" --identity-name "${INFRA_UAI_NAME}" --resource-group "${INFRA_UAI_RG}" --issuer "${AKS_OIDC_ISSUER}" --subject "${IMAGE_ACCOUNT_SUBJECT}" --audience api://AzureADTokenExchange --debug
cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'yztestfedid', '--identity-nam
e', 'yz-image-mgmt07-uai', '--resource-group', 'yz-image-mgmt07-rg', '--issuer', 'https://eastus.oic.prod-aks.azure.com/7
2f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r', '--subject', 'system:serviceaccount:image-m
gmt:image-mgmt-controller-manager', '--audience', 'api://AzureADTokenExchange', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x019CB460>, <fu
nction OutputProducer.on_global_arguments at 0x01CFD6A0>, <function CLIQuery.on_global_arguments at 0x01D182F8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: identity 0.008 2 11
cli.azure.cli.core: Total (1) 0.008 2 11
cli.azure.cli.core: Loaded 2 groups, 11 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : identity federated-credential create
cli.azure.cli.core: Command table: identity federated-credential create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03D
CB460>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\wangya.azure\commands\2023-07-19
.19-45-56.identity_federated-credential_create.15236.log'.
az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group
{} --issuer {} --subject {} --audience {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subs
cription_parameter at 0x03E18898>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments
at 0x03E18A48>, <function register_cache_arguments..add_cache_arguments at 0x03E18AD8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01CFD6E8>, <fu
nction CLIQuery.handle_query_parameter at 0x01D18340>, <function register_ids_argument..parse_ids_arguments at 0x
03E18A90>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ManagedServiceIdentityClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\wangya\.azure\msal_token_cache.bin', encry
pt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\wangya.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db4
7/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_b
asic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'respon
se_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_v
alues_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes
_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1
-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.co
m/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth
2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db
47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint':
'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub',
'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat',
'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoin
t': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'clou
d_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.c
om', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.d
efault',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.def
ault',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 8507bda4-0bad-49f2-ad5a-af168137618c
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3
292f6/resourceGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/fe
deratedIdentityCredentials/yztestfedid?api-version=2023-01-31'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '266'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '8d69a198-26a7-11ee-b394-00155d349f00'
cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --au
dience --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.50.0 azsdk-python-azure-mgmt-msi/7.0.0 Python/3.10.10 (Win
dows-10-10.0.19045-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab
-2d7cd011db47/114d1247-ab23-4620-a471-52399b08af4d/\r", "subject": "system:serviceaccount:image-mgmt:image-mgmt-controlle
r-manager", "audiences": ["api://AzureADTokenExchange"]}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourc
eGroups/yz-image-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdenti
tyCredentials/yztestfedid?api-version=2023-01-31 HTTP/1.1" 201 581
cli.azure.cli.core.sdk.policies: Response status: 201
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '581'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Location': '/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-i
mage-mgmt07-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredential
s/yztestfedid'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '9760f3cf-2e3e-426f-a8de-38992a6ff858'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20230720T024558Z:9760f3cf-2e3e-426f-a8de-38992a6f
f858'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 20 Jul 2023 02:45:58 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt0
7-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfe
did","name":"yztestfedid","type":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials","propert
ies":{"issuer":"https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b
08af4d/\r","subject":"system:serviceaccount:image-mgmt:image-mgmt-controller-manager","audiences":["api://AzureADTokenExc
hange"]}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x03DF0C88>, <function _x5
09_from_base64_to_hex_transform at 0x03DF0CD0>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"audiences": [
"api://AzureADTokenExchange"
],
"id": "/subscriptions/14ffb851-0b40-4673-abd3-f7a91c3292f6/resourcegroups/yz-image-mgmt07-rg/providers/Microsoft.Manage
dIdentity/userAssignedIdentities/yz-image-mgmt07-uai/federatedIdentityCredentials/yztestfedid",
"issuer": "https://eastus.oic.prod-aks.azure.com/72f988bf-86f1-41af-91ab-2d7cd011db47/114d1247-ab23-4620-a471-52399b08a
f4d/\r",
"name": "yztestfedid",
"resourceGroup": "yz-image-mgmt07-rg",
"subject": "system:serviceaccount:image-mgmt:image-mgmt-controller-manager",
"systemData": null,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03DCB580>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.519 seconds (init: 0.688, invoke: 1.831)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3378 in cache
telemetry.check: Negative: The C:\Users\wangya.azure\telemetry.txt was modified at 2023-07-19 19:43:05.626410, which in
less than 600.000000 s

Expected behavior

do not insert \r into oidcUrl

Environment Summary

az --version
azure-cli 2.50.0

core 2.50.0
telemetry 1.0.8

Dependencies:
msal 1.22.0
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\wangya.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

Metadata

Metadata

Assignees

Labels

AKSaz aks/acs/openshiftARMaz resource/group/lock/tag/deployment/policy/managementapp/account management-groupAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamManaged IdentityFor `az identity` onlyService AttentionThis issue is responsible by Azure service team.act-identity-squadact-observability-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.needs-team-attentionThis issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions