az login with user assigned managed identity showing as system assigned managed identity

[luojunh]

Describe the bug

when only one user assigned managed identity is added to a VM, az login --identity successfully, can get using az account get-access-token, decode access token can see the token is based on user assigned managed identity.

however the az login --identity shows result that the managed identity type is system assigned

Related command

az login --identity

Errors

the identity type is wrong in display

Issue script & Debug output

az_command_data_logger: command args: login --identity --allow-no-subscriptions --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x044BD758>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x044BD848>, <function register_cache_arguments..add_cache_arguments at 0x044CAA28>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x023A7AC8>, <function CLIQuery.handle_query_parameter at 0x023C8898>, <function register_ids_argument..parse_ids_arguments at 0x044CA9D8>]
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 200 1967
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
msrestazure.azure_active_directory: MSI: Token retrieved
cli.azure.cli.core._profile: MSI: token was retrieved. Now trying to initialize local accounts...
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msrestazure.azure_active_directory: MSI: token is found in cache.
cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1707533948' -> 1707533948
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions?api-version=2019-11-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '38e43219-c6f7-11ee-932b-002248190a60'
cli.azure.cli.core.sdk.policies: 'CommandName': 'login'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--identity --allow-no-subscriptions --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.57.0 (MSI) azsdk-python-azure-mgmt-resource/23.1.0b2 Python/3.11.7 (Windows-10-10.0.22000-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions?api-version=2019-11-01 HTTP/1.1" 200 47
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '47'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-tenant-reads': '11999'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '5043160e-4620-45ff-a57f-1b9637c11b87'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '5043160e-4620-45ff-a57f-1b9637c11b87'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'EASTASIA:20240209T025922Z:5043160e-4620-45ff-a57f-1b9637c11b87'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 0640F129DDEE4064890898EF850830C0 Ref B: SEL221051504025 Ref C: 2024-02-09T02:59:22Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Fri, 09 Feb 2024 02:59:21 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[],"count":{"type":"Total","value":0}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x044BD078>, <function _x509_from_base64_to_hex_transform at 0x044BD0C8>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
[
{
"environmentName": "AzureCloud",
"id": "31e4e04f-93cb-40d4-989a-0aab75727327",
"isDefault": true,
"name": "N/A(tenant level account)",
"state": "Enabled",
"tenantId": "31e4e04f-93cb-40d4-989a-0aab75727327",
"user": {
"assignedIdentityInfo": "MSI",
"name": "systemAssignedIdentity",
"type": "servicePrincipal"
}
}
]
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0448E758>]
az_command_data_logger: exit code: 0

Expected behavior

correct the managed identity type

Environment Summary

az version
{
"azure-cli": "2.57.0",
"azure-cli-core": "2.57.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {}
}

it can be reproduced in different version

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[helge12]

This problem I can confirm happens on SUSE SLES 15 SP4 fully updated and on Ubuntu 22 LTS with latest az cli installed. When used with user assigned identity and login with az login --identity, it always says wrongly "systemassigned".