MSI support in Azure Cloud Shell

[marcosgm]

Related: hashicorp/terraform-provider-azuread#633

Hamilton's MSI authentication doesn't consider the URL formats needed to get an MSI Access Token when run inside the cloud shell.

https://docs.microsoft.com/en-us/azure/cloud-shell/msi-authorization
The URL format is http://localhost:50342/oauth2/token

In https://github.com/manicminer/hamilton/blob/main/auth/msi.go#L115 we see the format of the URL expects to contain "/metadata", which is part of the URL when MSI is used in a VM, for instance
'http://169.254.169.254/metadata/identity/oauth2/token"

[marcosgm]

I changed the code on a few places and added some debugs:

$ 
[msi_debugs.go.txt](https://github.com/manicminer/hamilton/files/7367807/msi_debugs.go.txt)
go test --race ./... -v
=== RUN   TestAzureCliAuthorizer
--- PASS: TestAzureCliAuthorizer (1.13s)
=== RUN   TestMsiAuthorizer
url is : http://localhost:50342/oauth2/token?api-version=2018-02-01&format=text&resource=https%3A%2F%2Fmanagement.azure.com%2F

GET /oauth2/token?api-version=2018-02-01&format=text&resource=https%3A%2F%2Fmanagement.azure.com%2F HTTP/1.1
Host: localhost:50342
User-Agent: Go-http-client/1.1
Content-Length: 38
Accept-Encoding: gzip

resource=https://management.azure.com/

HTTP/1.1 200 OK
Content-Length: 2162
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Mon, 18 Oct 2021 18:38:50 GMT
Etag: W/"872-7WpHq6sLbo/bDSyC3PAw3C2IjwA"
X-Powered-By: Express

{"access_token":"(REDACTED) MukeJyc37ggOpV41f3U1TY9CblMOkTavjh3Q9Yz0-_I6c6y8kDCMZJbTs2NMdk0AWMSdsHsB_aDoRo5QfQ","refresh_token":"","expires_in":"1513","expires_on":"1634583843","not_before":"1634579943","resource":"https://management.core.windows.net/","token_type":"Bearer"}

url is : http://localhost:50342/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.microsoft.com%2F

GET /oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.microsoft.com%2F HTTP/1.1
Host: localhost:50342
User-Agent: Go-http-client/1.1
Content-Length: 38
Accept-Encoding: gzip

resource=https://management.azure.com/

HTTP/1.1 200 OK
Content-Length: 2481
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Mon, 18 Oct 2021 18:38:50 GMT
Etag: W/"9b1-7RxI3beG6uimCUxaeTgt0r94X5Y"
X-Powered-By: Express

{"access_token":"(REDACTED) 2ZYqIeAo5wQluCzExh8VXIdfsstqCaHfqkNsaXzwahuLp412w","refresh_token":"","expires_in":"1558","expires_on":"1634583888","not_before":"1634579989","resource":"https://graph.microsoft.com/","token_type":"Bearer"}

--- PASS: TestMsiAuthorizer (0.01s)
=== RUN   TestParseClaims_azureCli

[marcosgm]

--- PASS: TestAzureCliAuthorizer (1.23s)
=== RUN   TestMsiAuthorizer
--- PASS: TestMsiAuthorizer (0.01s)
=== RUN   TestParseClaims_azureCli
--- PASS: TestParseClaims_azureCli (1.15s)
=== RUN   TestParseClaims_clientCertificate

system@Azure:~/msitests/hamilton$
system@Azure:~/msitests/hamilton$ git diff
diff --git a/auth/msi.go b/auth/msi.go
index e87f18e..b2c64fd 100644
--- a/auth/msi.go
+++ b/auth/msi.go
@@ -112,10 +112,11 @@ func NewMsiConfig(ctx context.Context, resource, msiEndpoint, clientId string) (
        }

        // determine the generic metadata URL and check if we can reach it
-       e.Path = "/metadata"
+       e.Path = "/oauth2/token"
        e.RawQuery = url.Values{
                "api-version": []string{msiDefaultApiVersion},
                "format":      []string{"text"},
+               "resource": []string{"https://management.azure.com/"},
        }.Encode()

        _, err = azureMetadata(ctx, e.String())

[marcosgm]

This is the output using the current code:

--- PASS: TestAzureCliAuthorizer (1.16s)
=== RUN   TestMsiAuthorizer
--- FAIL: TestMsiAuthorizer (0.00s)
    auth_test.go:127: NewMsiAuthorizer(): NewMsiConfig: could not validate MSI endpoint: received HTTP status 404
=== RUN   TestParseClaims_azureCli
--- PASS: TestParseClaims_azureCli (1.16s)

[manicminer]

@marcogsm Thanks for raising this, the next release of the SDK will remove a configuration check that was hindering managed identity authentication in Cloud Shell.