1.0.2 authentication issue in pipeline

[akcrisp]

All, upgraded the plugin version to 1.0.2 and now get authentication issues being reported. Note 1.0.1 works fine.

I am using a token to login to acr to sign the image. Pipeline is a service principal and the step in ado pipeline is using powershell. I have tried setting the env variables for username and password as well as directly using the username and password options - both result in same result.

Code (snippet) -

          $token_user = "00000000-0000-0000-0000-000000000000"

          - pwsh: |           
              $key_id = $(az keyvault certificate show -n $(dev_cert) --vault-name $(cert_akv) --query 'kid' -o tsv)
              $image_details = $(az acr repository show -n $(ingressacr) --image ${{ parameters.target_image_repository }}/${{ parameters.target_image_name }} | ConvertFrom-Json)
              $image="$(image_repo)@"+$image_details.digest
              $token = $(az acr login --name $(ingressacr) --expose-token --output tsv --query accessToken)
              notation sign -u $(token_user) -p $token --signature-format cose --id $key_id --plugin azure-kv --plugin-config self_signed=true $image

What I now get is -

Error: describe-key command failed: ERROR: ManagedIdentityCredential authentication failed: Service request failed.
Status: 404 (Not Found)

Content:
no azure identity found for request clientID 


Headers:
X-Content-Type-Options: REDACTED
Date: Mon, 12 Feb 2024 15:48:05 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 46

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

I assume this is related to the following update in 1.0.2 ?-

Updated Azure.identity to v1.10.4 (#145 )

Putting it back to 1.0.1 of plugin and it works fine again.

Andy

[akashsinghal]

This is most likely due to Azure.Identity issue (not 100% sure though). This issue seems relevant: Azure/azure-sdk-for-net#39532 (comment). Provided work around in discussion may not be sufficient for notation's use case since we do want to support ManagedIdentityCredential for other use cases.

[akashsinghal]

@akcrisp we are still looking into the issue and having trouble reproducing the issue you are facing. Could you share some more details about where your pipeline is hosted? Are the runs run directly on Azure VMs? Or do you have an AKS cluster managing the pipeline jobs? If an AKS cluster, does it have Pod identity enabled?

[yizha1]

@akcrisp Would you mind trying the latest release v1.1.0 to see whether it solves your problem. In this release you can specify a plugin configuration named credential_type to the credential type you want to use for AKV authentication. Here is the document: https://github.com/Azure/notation-azure-kv/blob/v1.1.0/docs/plugin-config.md#credential_type

You can use the following command to update to the latest version of plugin

notation plugin install --url https://github.com/Azure/notation-azure-kv/releases/download/v1.1.0/notation-azure-kv_1.1.0_linux_amd64.tar.gz --sha256sum 2fc959bf850275246b044203609202329d015005574fabbf3e6393345e49b884