Improve Error Handling for 'az login --identity; with Multiple Assigned Identities

[jovieir]

Related command

az login --identity

Description

This PR improves login error handling for situations where multiple identities are assigned to a resource by surfacing the error_description returned by ARM in the HTTPError response body. The current CLI logic for az login --identity returns a 400 Bad Request error without surfacing the actual error, making it unactionable for the user.

According to the Azure Instance Metadata Service (IMDS) documentation:

• If another user assigned managed identity is assigned to the resource for any reason, your requests to IMDS will start failing with the error "Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request." We highly recommend you explicitly specify an identity in your request, even if only one user assigned managed identity currently exists for the resource.

Services like AKS make use of this, where the enablement of certain features creates a secondary identity. Doing so will cause AKS nodes and pods to no longer be authenticate to Azure resources simply by running az login --identity, returning a generic 'Failed to connect to MSI' error message.

During tests, I noticed the error object returned from the MSRestAzure library does not include the response body. Adding stream=True to the request mitigated, but this library has been deprecated and is read-only. Because of this, I've added the logic to replay the request and extract the error_description in the adal_authentication file.

Testing Guide

1. Create an AKS cluster az aks create --resource-group <rgName>--name <cluster_name> --kubernetes-version 1.31.5 --enable-cluster-autoscaler --min-count 1 --max-count 30 --auto-upgrade-channel stable --node-count 1 --node-vm-size Standard_E4bs_v5 --network-plugin kubenet --vnet-subnet-id $SUBNET_ID --node-osdisk-size 128 --enable-managed-identity --enable-addons monitoring --max-pods 250 --enable-node-public-ip --generate-ssh-keys --tier Standard
2. SSH into a node/pod and run az login --identity to observe it's working.
3. Enable the Cost Analysis add-on az aks update -g <rgName> -n <cluster_name> --enable-cost-analysis
4. Run az login --identity and observe the 400 Bad Request error.
5. Apply the changes from this PR.
6. Run az login --identity again and observe the error message now includes additional error details:
   ERROR: Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned http error: 400, reason: Bad Request, details: Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request

History Notes

[Azure CLI] Append HTTPError response body to error message for az login --identity command when multiple identities are present.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[jiasli]

Thanks for the contribution.

az login --identity is only used for system-assigned managed identity.

For user-assigned managed identity, we explicitly added --client-id, --object-id and --resource-id (#30525) and they must be provided. This is clarified by #29198 and https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-managed-identity.

Meanwhile, we are migrating managed identity authentication from msrestrest to MSAL (#25959). The target is Build release, so we do not want to make changes to the legacy code anymore, but I will keep this in mind while working on #25959.