[BUG] https://azconfig.io is a disallowed token scope for cloud shell managed identity

[jackhorton]

To Reproduce

curl 'http://localhost:50342/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fazconfig.io%2F' -H Metadata:true

Observed Behavior

{"error":{"code":"AudienceNotSupported","message":"Audience https://azconfig.io/ is not a supported MSI token audience."}}

Expected behavior

An access token is returned.

Is this specific to Cloud Shell?

This is Cloud Shell-specific and looks like limitation #1 stated in https://edyoung.github.io/blog/cloud_shell_auth/, which suggests filing an issue against this repository can get this scope allowlisted.

Interface information

Edge (Stable Channel) on Windows 11

Additional context

https://azconfig.io (and i believe also https://your-config-store-name.azconfig.io) are audiences used by Azure App Configuration: https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-azure-ad#audience. As it stands now, this issue blocks using the App Configuration REST API or Client SDKs from cloud shell.

[mbifeld]

Looks like Cloud Shell is missing the specific MSI token needed here. Will be looking at designs that cover this and other MSI token issues. Thank you for reporting this bug.