Include response body in IMDS 400 error message (#21351)

Azure · Aug 14, 2023 · 6e69b23 · 6e69b23
1 parent 4b91f97
commit 6e69b23
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/sdk/azidentity/managed_identity_client.go b/sdk/azidentity/managed_identity_client.go
@@ -179,7 +179,11 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 		if id != nil {
 			return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
 		}
-		return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource")
+		msg := "failed to authenticate a system assigned identity"
+		if body, err := runtime.Payload(resp); err == nil && len(body) > 0 {
+			msg += fmt.Sprintf(". The endpoint responded with %s", body)
+		}
+		return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)
 	}
 
 	return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)

diff --git a/sdk/azidentity/managed_identity_client_test.go b/sdk/azidentity/managed_identity_client_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/mock"
 )
 
 type userAgentValidatingPolicy struct {
@@ -75,6 +76,26 @@ func TestManagedIdentityClient_ApplicationID(t *testing.T) {
 	}
 }
 
+func TestManagedIdentityClient_IMDS400(t *testing.T) {
+	srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())
+	defer close()
+	body := `{"error":"invalid_request","error_description":"Identity not found"}`
+	srv.SetResponse(mock.WithBody([]byte(body)), mock.WithStatusCode(http.StatusBadRequest))
+	client, err := newManagedIdentityClient(&ManagedIdentityCredentialOptions{
+		ClientOptions: azcore.ClientOptions{Transport: srv},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = client.authenticate(context.Background(), nil, testTRO.Scopes)
+	if err == nil {
+		t.Fatal("expected an error")
+	}
+	if actual := err.Error(); !strings.Contains(actual, body) {
+		t.Fatalf("expected response body in error, got %q", actual)
+	}
+}
+
 func TestManagedIdentityClient_UserAssignedIDWarning(t *testing.T) {
 	for _, test := range []struct {
 		name          string