Describe the bug
"az login --identity" fails on a VMSS instance with managed identity configured:
$ az login --identity
Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
This occurs both with system assigned and user assigned managed identities.
I am certain that the VMSS identity is set up correctly.
Related command
az login
Errors
$ az login --identity
Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
Issue script & Debug output
$ az login --identity --debug
cli.knack.cli: Command arguments: ['login', '--identity', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x76cdd9bd77e0>, <function OutputProducer.on_global_arguments at 0x76cdd997e7a0>, <function CLIQuery.on_global_arguments at 0x76cdd99c3ce0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.003 2 8
cli.azure.cli.core: Total (1) 0.003 2 8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x76cdd8bfc360>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/xxx/.azure/commands/2025-05-08.08-33-47.login.10330.log'.
az_command_data_logger: command args: login --identity --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x76cdd8c48860>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x76cdd8c4b060>, <function register_cache_arguments..add_cache_arguments at 0x76cdd8c4b1a0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x76cdd8c4b240>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x76cdd997e840>, <function CLIQuery.handle_query_parameter at 0x76cdd99c3d80>, <function register_ids_argument..parse_ids_arguments at 0x76cdd8c4b100>]
urllib3.connectionpool: Starting new HTTP connection (1): 127.0.0.1:3128
urllib3.connectionpool: http://127.0.0.1:3128 "GET http://169.254.169.254/metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 400 68
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
cli.azure.cli.core.auth.adal_authentication: throw requests.exceptions.HTTPError when doing MSIAuthentication:
Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
token_entry = self._vm_msi.get_token(self.resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
token_entry = self._retrieve_token_from_imds_with_retry(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
token_entry = self._vm_msi.get_token(self.resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
token_entry = self._retrieve_token_from_imds_with_retry(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 734, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 149, in login
return profile.login_with_managed_identity(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 244, in login_with_managed_identity
msi_creds = MSIAuthenticationWrapper(resource=resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 592, in init
self.set_token()
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/adal_authentication.py", line 85, in set_token
raise AzureResponseError('Failed to connect to MSI. Please make sure MSI is configured correctly.\n'
azure.cli.core.azclierror.AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
cli.azure.cli.core.azclierror: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
az_command_data_logger: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x76cdd8bfc5e0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 0.564 seconds (init: 0.198, invoke: 0.366)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3877 in cache file under /home/adminuser/.azure/telemetry/20250508083347853
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/xxx/.azure /home/xxx/.azure/telemetry/20250508083347853"
telemetry.process: Return from creating process 10336
telemetry.main: Finish creating telemetry upload process.
Expected behavior
"az login --identity" should just work using the system assigned identity of the scale set.
"az login --identity --resource-id xxxx" should just work using the user assigned identity of the scale set.
Environment Summary
azure-cli 2.72.0
core 2.72.0
telemetry 1.1.0
Dependencies:
msal 1.32.3
azure-mgmt-resource 23.1.1
Python location '/opt/az/bin/python3'
Config directory '/home/xxx/.azure'
Extensions directory '/home/xxx/.azure/cliextensions'
Python (Linux) 3.12.8 (main, Apr 28 2025, 09:24:43) [GCC 11.4.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response
Describe the bug
"az login --identity" fails on a VMSS instance with managed identity configured:
This occurs both with system assigned and user assigned managed identities.
I am certain that the VMSS identity is set up correctly.
Related command
az login
Errors
$ az login --identity
Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
Issue script & Debug output
$ az login --identity --debug
cli.knack.cli: Command arguments: ['login', '--identity', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x76cdd9bd77e0>, <function OutputProducer.on_global_arguments at 0x76cdd997e7a0>, <function CLIQuery.on_global_arguments at 0x76cdd99c3ce0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.003 2 8
cli.azure.cli.core: Total (1) 0.003 2 8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x76cdd8bfc360>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/xxx/.azure/commands/2025-05-08.08-33-47.login.10330.log'.
az_command_data_logger: command args: login --identity --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x76cdd8c48860>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x76cdd8c4b060>, <function register_cache_arguments..add_cache_arguments at 0x76cdd8c4b1a0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x76cdd8c4b240>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x76cdd997e840>, <function CLIQuery.handle_query_parameter at 0x76cdd99c3d80>, <function register_ids_argument..parse_ids_arguments at 0x76cdd8c4b100>]
urllib3.connectionpool: Starting new HTTP connection (1): 127.0.0.1:3128
urllib3.connectionpool: http://127.0.0.1:3128 "GET http://169.254.169.254/metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 400 68
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
cli.azure.cli.core.auth.adal_authentication: throw requests.exceptions.HTTPError when doing MSIAuthentication:
Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
token_entry = self._vm_msi.get_token(self.resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
token_entry = self._retrieve_token_from_imds_with_retry(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 600, in set_token
token_entry = self._vm_msi.get_token(self.resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 649, in get_token
token_entry = self._retrieve_token_from_imds_with_retry(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 704, in _retrieve_token_from_imds_with_retry
raise HTTPError(request=result.request, response=result.raw)
requests.exceptions.HTTPError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 734, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 149, in login
return profile.login_with_managed_identity(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 244, in login_with_managed_identity
msi_creds = MSIAuthenticationWrapper(resource=resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/msrestazure/azure_active_directory.py", line 592, in init
self.set_token()
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/adal_authentication.py", line 85, in set_token
raise AzureResponseError('Failed to connect to MSI. Please make sure MSI is configured correctly.\n'
azure.cli.core.azclierror.AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
cli.azure.cli.core.azclierror: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
az_command_data_logger: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned http error: 400, reason: Bad Request
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x76cdd8bfc5e0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 0.564 seconds (init: 0.198, invoke: 0.366)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3877 in cache file under /home/adminuser/.azure/telemetry/20250508083347853
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/xxx/.azure /home/xxx/.azure/telemetry/20250508083347853"
telemetry.process: Return from creating process 10336
telemetry.main: Finish creating telemetry upload process.
Expected behavior
"az login --identity" should just work using the system assigned identity of the scale set.
"az login --identity --resource-id xxxx" should just work using the user assigned identity of the scale set.
Environment Summary
azure-cli 2.72.0
core 2.72.0
telemetry 1.1.0
Dependencies:
msal 1.32.3
azure-mgmt-resource 23.1.1
Python location '/opt/az/bin/python3'
Config directory '/home/xxx/.azure'
Extensions directory '/home/xxx/.azure/cliextensions'
Python (Linux) 3.12.8 (main, Apr 28 2025, 09:24:43) [GCC 11.4.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response