Fix GetManagedIdentitySourceAsync caching wrong IMDS source#6025
Open
bgavrilMS wants to merge 4 commits into
Open
Fix GetManagedIdentitySourceAsync caching wrong IMDS source#6025bgavrilMS wants to merge 4 commits into
bgavrilMS wants to merge 4 commits into
Conversation
Simplify GetManagedIdentitySourceAsync to only probe IMDSv1 and assume IMDSv2 infrastructure is always available when IMDS is detected. Previously, if Azure SDK called GetManagedIdentitySourceAsync, it would detect v1 and cache it, causing subsequent mTLS PoP requests to fail because the cached source was Imds (v1) which doesn't support token binding. Now: - Discovery only probes IMDSv1 to determine IMDS availability - When cached source is Imds and mTLS PoP is requested, routes to IMDSv2 - Removes the preview guard that prevented switching between versions Fixes #6024 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace ImdsV2EndpointsAreNotAvailableButMtlsPopTokenWasRequested with ImdsV1Cached_MtlsPopRequested_RoutesToImdsV2 (validates mTLS PoP routes to IMDSv2 when v1 is cached, instead of throwing) - Update ProbeImdsEndpointAsyncSucceeds to test v1 probe only - Replace ProbeImdsEndpointAsyncSucceedsAfterRetry and ProbeImdsEndpointAsyncFails404 with ProbeImdsEndpointAsyncFails_ReturnsNoneFound (v2 is no longer probed during discovery) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Since discovery now only probes IMDSv1, replace the separate ImdsV1FailureReason and ImdsV2FailureReason properties with a single ImdsFailureReason property on ManagedIdentitySourceResult. Breaking change: ImdsV1FailureReason and ImdsV2FailureReason removed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ImdsV1Cached_MtlsPopRequested_RoutesToImdsV2 now explicitly calls GetManagedIdentitySourceAsync (caching Imds v1) followed by AcquireTokenForManagedIdentity with mTLS PoP, matching the exact scenario from issue #6024 where Azure SDK probes first. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #6024
When the Azure SDK calls GetManagedIdentitySourceAsync first (probing), it caches Imds (v1). A subsequent mTLS PoP request then fails because the cached source is v1 which doesn't support mTLS PoP.
Changes
Core fix (ManagedIdentityClient.cs):
Tests (ImdsV2Tests.cs, ManagedIdentityTests.cs):
Backward compatibility: