Skip to content

Add identity logging to ARM token exchange through IMDS#111

Open
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-110
Open

Add identity logging to ARM token exchange through IMDS#111
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-110

Conversation

Copy link
Copy Markdown

Copilot AI commented Jun 6, 2025
edited
Loading

This PR adds logging to show what identity is being used when performing token exchange through IMDS (Instance Metadata Service), making it easier to debug authentication issues.

Changes Made

Enhanced Token Exchange Logging

The ARMTokenForBinding function now logs the specific identity being used for authentication:

  • Managed Identity with ClientID: Logs the specific client ID being used
  • Managed Identity with ResourceID: Logs the specific resource ID being used
  • System-assigned Managed Identity: Indicates when system-assigned identity is used
  • Workload Identity: Logs the tenant ID and client ID being used

Example Log Output

INFO Attempting token exchange through IMDS using managed identity clientID="1b461305-28be-5271-beda-bd9fd2e24251"
INFO Attempting token exchange through IMDS using managed identity resourceID="/subscriptions/sub-name/resourceGroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/1b461305-28be-5271-beda-bd9fd2e24251"
INFO Attempting token exchange through IMDS using system-assigned managed identity
INFO Attempting token exchange using workload identity tenantID="72f988bf-86f1-41af-91ab-2d7cd011db47" clientID="1b461305-28be-5271-beda-bd9fd2e24251"

Technical Implementation

  • Modified the armTokenFetcher function type to include a logr.Logger parameter
  • Updated ARMTokenForBinding function signature to accept and use the logger
  • Enhanced CreatePullCredential function to pass logger context through the call chain
  • Updated all related test functions to match the new signatures
  • All existing tests continue to pass

This provides much-needed visibility into which identity is being used during token exchange operations, helping operators troubleshoot authentication issues more effectively.

Fixes #110.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits June 6, 2025 22:36
@matucker-msft
Add identity logging to ARM token exchange through IMDS
7b96176 
Co-authored-by: matucker-msft <77026928+matucker-msft@users.noreply.github.com>
@matucker-msft
Format code and finalize identity logging implementation
c5c9886 
Co-authored-by: matucker-msft <77026928+matucker-msft@users.noreply.github.com>
Copilot AI changed the title [WIP] Log what identity you are trying to login with when doing the token exchange Add identity logging to ARM token exchange through IMDS Jun 6, 2025
Copilot AI requested a review from matucker-msft June 6, 2025 22:38
matucker-msft
matucker-msft approved these changes Jun 7, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@matucker-msft matucker-msft left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really have nothing to say. copilot did this well and plumbed the logger through to all the places and at least gave us the exact log line we wanted while debugging an issue today. This passes my sniff test, but I need 2 more approvals cause this is a copilot PR :D

@matucker-msft matucker-msft marked this pull request as ready for review June 7, 2025 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@matucker-msft matucker-msft matucker-msft approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

@matucker-msft matucker-msft

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Log what identity you are trying to login with when doing the token exchange

2 participants

@matucker-msft