Incorrect MSI API version when running inside azure function apps

[pcc-damatj]

What happened?

I am trying to run pulumi from within an azure function application using managed identity.

The typical IMDS endpoint does not work for function apps which is normal for function apps

building client: unable to obtain access token: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: Get "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.microsoft.com": GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.microsoft.com giving up after 5 attempt(s):

Setting useMsi to process.env.MSI_ENDPOINT, gets me passed the initial error. It seems like this msiEndpoint has a different supported API version. It seems to want "2017-09-01": https://learn.microsoft.com/en-us/javascript/api/@azure/ms-rest-nodeauth/msiappservicetokencredentials?view=azure-node-latest#@azure-ms-rest-nodeauth-msiappservicetokencredentials-msiapiversion

        * building client: unable to obtain access token: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://169.254.129.6:8081/msi/token' does not support the API version '2018-02-01'.","innerError":null}}

Is there a way to configure apiVersion for this authentication calls? I cant find anything in the docs/codebase for this.

Example

    if (process.env.WEBSITE_SITE_NAME && process.env.WEBSITE_SITE_NAME !== "") {
        await stack.setConfig("azuread:useMsi", { value: "true" });
        await stack.setConfig("azuread:msiEndpoint", { value: process.env.MSI_ENDPOINT });
    } else {
        await stack.setConfig("azuread:clientId", { value: process.env.AZURE_CLIENT_ID });
        await stack.setConfig("azuread:clientSecret", { value: process.env.AZURE_CLIENT_SECRET });
        await stack.setConfig("azuread:tenantId", { value: process.env.AZURE_TENANT_ID });
    }
    await stack.preview({ onOutput: console.info, diff: true});

Output of pulumi about

CLI
Version 3.113.0
Go Version go1.22.2
Go Compiler gc

Plugins
NAME VERSION
nodejs unknown

Host
OS debian
Version 11.9
Arch x86_64

This project is written in nodejs: executable='/usr/bin/node' version='v18.20.1'

Backend
Name a4c896056958
URL azblob://
User root
Organizations
Token type personal

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[thomas11]

Hi @pcc-damatj, unfortunately, we don't have a way to customize this API version currently. The issue exists in the third-party authentication library that we use, so it's not easy to fix for us. Terraform users have the same problem.

We are, however, planning to migrate to the newer, official azidentity for authentication soon, which does support App Service/Azure Functions, although they use API version "2019-08-01" for it.