Include response body in IMDS 400 error message (#21351)

chlowell · web-flow · commit 6e69b230b2de · 2023-08-14T15:35:30.000Z
diff --git a/sdk/azidentity/managed_identity_client.go b/sdk/azidentity/managed_identity_client.go
@@ -179,7 +179,11 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 		if id != nil {
 			return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
 		}
-		return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource")
+		msg := "failed to authenticate a system assigned identity"
+		if body, err := runtime.Payload(resp); err == nil && len(body) > 0 {
+			msg += fmt.Sprintf(". The endpoint responded with %s", body)
+		}
+		return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)
 	}
 
 	return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)
diff --git a/sdk/azidentity/managed_identity_client_test.go b/sdk/azidentity/managed_identity_client_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/mock"
 )
 
 type userAgentValidatingPolicy struct {
@@ -75,6 +76,26 @@ func TestManagedIdentityClient_ApplicationID(t *testing.T) {
 	}
 }
 
+func TestManagedIdentityClient_IMDS400(t *testing.T) {
+	srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())
+	defer close()
+	body := `{"error":"invalid_request","error_description":"Identity not found"}`
+	srv.SetResponse(mock.WithBody([]byte(body)), mock.WithStatusCode(http.StatusBadRequest))
+	client, err := newManagedIdentityClient(&ManagedIdentityCredentialOptions{
+		ClientOptions: azcore.ClientOptions{Transport: srv},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = client.authenticate(context.Background(), nil, testTRO.Scopes)
+	if err == nil {
+		t.Fatal("expected an error")
+	}
+	if actual := err.Error(); !strings.Contains(actual, body) {
+		t.Fatalf("expected response body in error, got %q", actual)
+	}
+}
+
 func TestManagedIdentityClient_UserAssignedIDWarning(t *testing.T) {
 	for _, test := range []struct {
 		name          string

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,11 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi`
`179`	`179`	`if id != nil {`
`180`	`180`	`return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)`
`181`	`181`	`}`
`182`		`- return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource")`
	`182`	`+ msg := "failed to authenticate a system assigned identity"`
	`183`	`+ if body, err := runtime.Payload(resp); err == nil && len(body) > 0 {`
	`184`	`+ msg += fmt.Sprintf(". The endpoint responded with %s", body)`
	`185`	`+ }`
	`186`	`+ return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)`
`183`	`187`	`}`
`184`	`188`
`185`	`189`	`return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)`