Support VMSS Flex Authentications

[dkiser]

Desired Behavior
As a vault-plugin-auth-azure user, I Should Be Able to provide instance identity credentials from a VMSS Flex Virtual Machine to the login endpoint So That I Can access Vault resources from VMSS Flex VMs in addition to VMSS VMs.

Error Shown
token object id does not match virtual machine identities from here

Steps to reproduce

1. Install/configure the vault-pluign-auth-azure plugin
2. Create a VMSS Flex definition in Azure and launch VMs from this definition
3. Create a role for a VMSS to mach the VMSS name/attributes from step 2.
4. From a VMSS Flex VM, post the instance metadata identity JWT token to the login API with the appropriate role.
5. View the error response above

[dkiser]

From initial investigations, the VitualMachineScaleSetIdentityUserAssignedIdentitiesValue utilized in vault-plugin-auth-azure here is never populated from the Azure API response to GET for a VMSS object when that VMSS is defined as Flex.

This appears to result in the for loop here never populating the principalIDs map correctly to be validated here, resulting in the thrown error.

Example Object responses from the Azure Compute API for VMSS with a User Assigned Identity, and NO Flex enabled

{
    "name": "**SCRUBBED**",
    "id": "/subscriptions/**SCRUBBED**/resourceGroups/**SCRUBBED**/providers/Microsoft.Compute/virtualMachineScaleSets/**SCRUBBED**/virtualMachines/2",
    "type": "Microsoft.Compute/virtualMachineScaleSets/virtualMachines",
    "location": "westus3",
    "tags": {},
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/**SCRUBBED**/resourceGroups/**SCRUBBED**/providers/Microsoft.ManagedIdentity/userAssignedIdentities/some-identity-name": {
                "principalId": "SOME-LONG-GUID",
                "clientId": "ANOTHER-LONG-GUID"
            }
        }
    },

Example Object responses from the Azure Compute API for VMSS with a User Assigned Identity, with Flex enabled.

{
    "name": "**SCRUBBED**",
    "id": "/subscriptions/**SCRUBBED**/resourceGroups**SCRUBBED**/providers/Microsoft.Compute/virtualMachineScaleSets/**SCRUBBED**,
    "type": "Microsoft.Compute/virtualMachineScaleSets",
    "location": "westus3",
    "tags": {},
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/**SCRUBBED**/resourceGroups/**SCRUBBED**/providers/Microsoft.ManagedIdentity/userAssignedIdentities/some-identity-name": {}
        }
    },

NOTE from the above object response output, that both principalId and clientId are missing from the JSON response from Azure.

[zmyzheng]

/assign

[zmyzheng]

Can you assign this to me?

[calvn]

I've assigned this issue to you, but be will also have someone from the team review the PR that you've opened. Thanks!