From b61259d2a510434009711232095b1b5fb9fdd642 Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Mon, 21 Jun 2021 15:10:07 -0700 Subject: [PATCH] expose exception when IMDS doesn't respond --- .../azure/identity/_credentials/imds.py | 26 +++++++++---------- .../azure/identity/aio/_credentials/imds.py | 26 +++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/imds.py b/sdk/identity/azure-identity/azure/identity/_credentials/imds.py index 291a9387ebd4..8983d120fda3 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/imds.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/imds.py @@ -2,7 +2,6 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ -import logging import os from typing import TYPE_CHECKING @@ -21,8 +20,6 @@ from typing import Any, Optional from azure.core.credentials import AccessToken -_LOGGER = logging.getLogger(__name__) - IMDS_URL = "http://169.254.169.254/metadata/identity/oauth2/token" PIPELINE_SETTINGS = { @@ -51,6 +48,7 @@ def __init__(self, **kwargs): self._endpoint_available = True # type: Optional[bool] else: self._endpoint_available = None + self._error_message = None # type: Optional[str] self._user_assigned_identity = "client_id" in kwargs or "identity_config" in kwargs def _acquire_token_silently(self, *scopes): @@ -67,16 +65,18 @@ def _request_token(self, *scopes, **kwargs): # pylint:disable=unused-argument self._client.request_token(*scopes, connection_timeout=0.3, retry_total=0) self._endpoint_available = True except HttpResponseError: - # received a response, choked on it + # IMDS responded self._endpoint_available = True - except Exception: # pylint:disable=broad-except + except Exception as ex: # pylint:disable=broad-except # if anything else was raised, assume the endpoint is unavailable self._endpoint_available = False - _LOGGER.info("No response from the IMDS endpoint.") + self._error_message = ( + "ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint." + ) + six.raise_from(CredentialUnavailableError(self._error_message), ex) if not self._endpoint_available: - message = "ManagedIdentityCredential authentication unavailable, no managed identity endpoint found." - raise CredentialUnavailableError(message=message) + raise CredentialUnavailableError(self._error_message) try: token = self._client.request_token(*scopes, headers={"Metadata": "true"}) @@ -85,13 +85,13 @@ def _request_token(self, *scopes, **kwargs): # pylint:disable=unused-argument # or the identity with the specified client_id is not available if ex.status_code == 400: self._endpoint_available = False - message = "ManagedIdentityCredential authentication unavailable. " + self._error_message = "ManagedIdentityCredential authentication unavailable. " if self._user_assigned_identity: - message += "The requested identity has not been assigned to this resource." + self._error_message += "The requested identity has not been assigned to this resource." else: - message += "No identity has been assigned to this resource." - six.raise_from(CredentialUnavailableError(message=message), ex) + self._error_message += "No identity has been assigned to this resource." + six.raise_from(CredentialUnavailableError(message=self._error_message), ex) # any other error is unexpected - six.raise_from(ClientAuthenticationError(message=ex.message, response=ex.response), None) + six.raise_from(ClientAuthenticationError(message=ex.message, response=ex.response), ex) return token diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py index 628e9e7dfb76..81dd2812c467 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py @@ -2,7 +2,6 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ -import logging import os from typing import TYPE_CHECKING @@ -19,8 +18,6 @@ from typing import Any, Optional from azure.core.credentials import AccessToken -_LOGGER = logging.getLogger(__name__) - class ImdsCredential(AsyncContextManager, GetTokenMixin): def __init__(self, **kwargs: "Any") -> None: @@ -31,6 +28,7 @@ def __init__(self, **kwargs: "Any") -> None: self._endpoint_available = True # type: Optional[bool] else: self._endpoint_available = None + self._error_message = None # type: Optional[str] self._user_assigned_identity = "client_id" in kwargs or "identity_config" in kwargs async def close(self) -> None: @@ -48,16 +46,18 @@ async def _request_token(self, *scopes, **kwargs: "Any") -> "AccessToken": # py await self._client.request_token(*scopes, connection_timeout=0.3, retry_total=0) self._endpoint_available = True except HttpResponseError: - # received a response, choked on it + # IMDS responded self._endpoint_available = True - except Exception: # pylint:disable=broad-except + except Exception as ex: # pylint:disable=broad-except # if anything else was raised, assume the endpoint is unavailable self._endpoint_available = False - _LOGGER.info("No response from the IMDS endpoint.") + self._error_message = ( + "ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint." + ) + raise CredentialUnavailableError(message=self._error_message) from ex if not self._endpoint_available: - message = "ManagedIdentityCredential authentication unavailable, no managed identity endpoint found." - raise CredentialUnavailableError(message=message) + raise CredentialUnavailableError(message=self._error_message) try: token = await self._client.request_token(*scopes, headers={"Metadata": "true"}) @@ -66,13 +66,13 @@ async def _request_token(self, *scopes, **kwargs: "Any") -> "AccessToken": # py # or the identity with the specified client_id is not available if ex.status_code == 400: self._endpoint_available = False - message = "ManagedIdentityCredential authentication unavailable. " + self._error_message = "ManagedIdentityCredential authentication unavailable. " if self._user_assigned_identity: - message += "The requested identity has not been assigned to this resource." + self._error_message += "The requested identity has not been assigned to this resource." else: - message += "No identity has been assigned to this resource." - raise CredentialUnavailableError(message=message) from ex + self._error_message += "No identity has been assigned to this resource." + raise CredentialUnavailableError(message=self._error_message) from ex # any other error is unexpected - raise ClientAuthenticationError(message=ex.message, response=ex.response) from None + raise ClientAuthenticationError(message=ex.message, response=ex.response) from ex return token