[App Service] Support managed identity in App Service container

[jiasli]

Description

• Close az acr build error: ValueError: invalid literal for int() with base 10: '09/01/2021 08:13:20 +00:00' #19480
• Close Az login --identity doen't work from custom container i app services #20196
• Close az login --identity fails: ValueError: invalid literal for int() with base 10: '11/04/2021 23:46:50 +00:00' #20186

For more details, see #19480 (comment)

msrestazure still uses 2017-09-01 for managed identity in App Service container. The returned expires_on is a datetime string like "11/05/2021 15:18:31 +00:00". This differs from expires_on returned by managed identity on Azure VM:

• epoch in str (VM managed identity endpoint 2018-02-01): "1605238724"
• datetime in Month/Day/Year str with timezone (App service managed identity endpoint 2017-09-01): "11/05/2021 15:18:31 +00:00"

As it is not possible to update msrestazure to use the latest 2019-08-01 managed identity endpoint, because msrestazure has been out of maintenance. Azure CLI needs to be able to handle such inconsistency in order to support managed identity in App Service container.

Testing Guide

1. In Azure Portal, create an app service with "quickstart" docker image mcr.microsoft.com/appsvc/staticsite:latest
2. Configure system assigned identity for the app service
3. Follow the doc to SSH into the container: https://docs.microsoft.com/en-us/azure/app-service/configure-linux-open-ssh-session

az webapp create-remote-connection --subscription 0b1f6471-1bf0-4dda-aec3-cb9272f09590 --resource-group mytest1 -n myweb2

ssh [email protected] -p 43147

apt install git
git clone https://github.com/jiasli/azure-cli --branch webapp-mi --depth 1
apt-get install python3-venv
python3 -m venv py
. py/bin/activate
pip install -U pip
pip install azdev
azdev setup -c
az login --identity --debug

[yonzhan]

Core

[jiasli]

Debug log shows:

cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '11/09/2021 06:52:28 +00:00' -> 1636440748

[waylew-lexis]

Hello, Im still seeing this issue with latest version of cli (v2.30) on container app service using system managed identity
]
ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: invalid literal for int() with base 10: '11/19/2021 19:04:42 +00:00'
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/knack/cli.py", line 231, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 657, in execute
raise ex
File "/usr/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 720, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 691, in _run_job
result = cmd_copy(params)
File "/usr/lib/python3.8/site-packages/azure/cli/core/commands/init.py", line 328, in call
return self.handler(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/usr/lib/python3.8/site-packages/azure/cli/command_modules/profile/custom.py", line 84, in get_access_token
token_entry['expiresOn'] = _fromtimestamp(int(token_entry['expires_on']))
ValueError: invalid literal for int() with base 10: '11/19/2021 19:04:42 +00:00'
To open an issue, please run: 'az feedback'

[jiasli]

This PR will be released with Azure CLI 2.31.0 on 12/07/2021.

[jiasli]

Unfortunately, this solution doesn't work for Python 3.6:

> docker run -it --rm python:3.6

>>> import datetime
>>> datetime.datetime.strptime('12/30/2021 07:53:52 +00:00', '%m/%d/%Y %H:%M:%S %z')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/_strptime.py", line 565, in _strptime_datetime
    tt, fraction = _strptime(data_string, format)
  File "/usr/local/lib/python3.6/_strptime.py", line 362, in _strptime
    (data_string, format))
ValueError: time data '12/30/2021 07:53:52 +00:00' does not match format '%m/%d/%Y %H:%M:%S %z'

>>> datetime.datetime.strptime('12/30/2021 07:53:52 +0000', '%m/%d/%Y %H:%M:%S %z')
datetime.datetime(2021, 12, 30, 7, 53, 52, tzinfo=datetime.timezone.utc)

which means az login --identity with managed identity in App Service container still doesn't work with DEB, RPM packages, etc.

https://docs.python.org/3/library/datetime.html#technical-detail

Changed in version 3.7: When the %z directive is provided to the strptime() method, the UTC offsets can have a colon as a separator between hours, minutes and seconds. For example, '+01:00:00' will be parsed as an offset of one hour. In addition, providing 'Z' is identical to '+00:00'.

Will work on bumping Python version in #20857.

[jiasli]

This example response was retrieved on a Linux App Service.

It has been reported that managed identity on Windows App Service returns expires_on in a different format:

"expires_on":"8/5/2023 9:13:43 AM +00:00"

causing Azure CLI to fail with

time data '8/3/2023 9:26:33 AM +0000' does not match format '%m/%d/%Y %H:%M:%S %z'

In my opinion, App Service should guarantee the responses of managed identity get token requests targeting the same API version 2017-09-01 are consistent between Windows and Linux.