Better documentation for perform attestation

[taxa-chris]

Is your feature request related to a problem? Please describe.
The docs say to perform attestation you need to run this snippet:

const client = new AttestationAdministrationClient(endpoint, new DefaultAzureCredential());
const policyResponse = await client.getPolicy(KnownAttestationType.SgxEnclave);

But when I do that, I get this error:

/home/chris/Documents/MicrosoftAttestation/node_modules/@azure/core-client/dist/commonjs/deserializationPolicy.js:148
const error = new core_rest_pipeline_1.RestError(initialErrorMessage, {
^

RestError: Access to /policies/SgxEnclave requires a valid JWT bearer token
at handleErrorResponse (/home/chris/Documents/MicrosoftAttestation/node_modules/@azure/core-client/dist/commonjs/deserializationPolicy.js:148:19)
at deserializeResponseBody (/home/chris/Documents/MicrosoftAttestation/node_modules/@azure/core-client/dist/commonjs/deserializationPolicy.js:83:45)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
code: 'Unauthorized',
statusCode: 401,
details: {
error: {
code: 'Unauthorized',
message: 'Access to /policies/SgxEnclave requires a valid JWT bearer token'
}
}
}

Describe the solution you'd like
Better explanation about what that error means, and how to attach a "JWT bearer token" to my code. Nowhere in the docs does it say anything about attaching a JWT bearer token.

Describe alternatives you've considered
Looking through the docs for a description of how to include a "JWT bearer token"

[xirzec]

@taxa-chris I agree that the message isn't particularly helpful here, but my (limited) understanding is that it is saying whatever credentials it's using via DefaultAzureCredential doesn't have the proper RBAC permissions to make the call to getPolicy.

It may help to enable Identity logging to figure out what service principal is being used so you can confirm that it is assigned the proper permissions to make that call.

[github-actions]

Hi @taxa-chris. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[taxa-chris]

Here is the full output I get when running with identity logging enabled:

chris@Tank2:~/Documents/MicrosoftAttestation$ node index.js 
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info EnvironmentCredential => Found the following environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET
azure:identity:info EnvironmentCredential => Invoking ClientSecretCredential with tenant ID: 90e666db-319e-467e-8bd0-687cf5911f0b, clientId: 67420648-fe78-403f-8f86-8f923de3cf13 and clientSecret: [REDACTED]
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info WorkloadIdentityCredential => Found the following environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE
azure:identity:info WorkloadIdentityCredential => Invoking ClientAssertionCredential with tenant ID: 90e666db-319e-467e-8bd0-687cf5911f0b, clientId: 67420648-fe78-403f-8f86-8f923de3cf13 and federated token path: [REDACTED]
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:warning DefaultAzureCredential => Skipped createDefaultManagedIdentityCredential because of an error creating the credential: TypeError: Cannot create property 'retryOptions' on string '90e666db-319e-467e-8bd0-687cf5911f0b'
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info ClientSecretCredential => getToken() => Attempting to acquire token using client secret
azure:identity:info ClientSecretCredential => getToken() => Creating new ConfidentialClientApplication with CAE disabled.
azure:identity:info ClientSecretCredential => MSAL Node V2 info message: [Mon, 02 Dec 2024 18:30:13 GMT] : [] : @azure/[email protected] : Info - acquireTokenByClientCredential called
azure:identity:info ClientSecretCredential => MSAL Node V2 info message: [Mon, 02 Dec 2024 18:30:13 GMT] : [4e812be2-df2b-4311-a7d9-1f07c6f99e26] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/90e666db-319e-467e-8bd0-687cf5911f0b/oauth2/v2.0/token.
azure:identity:info ClientSecretCredential => MSAL Node V2 info message: [Mon, 02 Dec 2024 18:30:13 GMT] : [4e812be2-df2b-4311-a7d9-1f07c6f99e26] : @azure/[email protected] : Info - Sending token request to endpoint: https://login.microsoftonline.com/90e666db-319e-467e-8bd0-687cf5911f0b/oauth2/v2.0/token
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 797a837a-825b-42b8-b941-b1c7399af97d
azure:core-rest-pipeline:info Request: {
  "url": "https://login.microsoftonline.com/90e666db-319e-467e-8bd0-687cf5911f0b/oauth2/v2.0/token?client-request-id=REDACTED",
  "headers": {
    "content-type": "application/x-www-form-urlencoded;charset=utf-8",
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/4.5.0 core-rest-pipeline/1.17.0 Node/18.19.1 OS/(x64-Linux-6.8.0-48-generic)",
    "x-ms-client-request-id": "797a837a-825b-42b8-b941-b1c7399af97d"
  },
  "method": "POST",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "797a837a-825b-42b8-b941-b1c7399af97d",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info No cached TLS Agent exist, creating a new Agent
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "no-store, no-cache",
  "pragma": "no-cache",
  "content-type": "application/json; charset=utf-8",
  "expires": "-1",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "72bbf707-bf8f-4334-a2b1-8f2ed82a2e00",
  "x-ms-ests-server": "2.1.19492.3 - WUS3 ProdSlices",
  "x-ms-clitelem": "1,0,0,,",
  "x-ms-srs": "1.P",
  "content-security-policy-report-only": "object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-cjPNuw5vlywq9MAHU2wpiw' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net 'report-sample'; img-src 'self' data: https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All",
  "x-xss-protection": "0",
  "set-cookie": "fpc=AhkVCr057TJMqbOGuQk-84Qns6q3AQAAALXz394OAAAA; expires=Wed, 01-Jan-2025 18:30:14 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Mon, 02 Dec 2024 18:30:13 GMT",
  "content-length": "1363"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 797a837a-825b-42b8-b941-b1c7399af97d
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info ClientSecretCredential => MSAL Node V2 warning: [Mon, 02 Dec 2024 18:30:14 GMT] : [4e812be2-df2b-4311-a7d9-1f07c6f99e26] : @azure/[email protected] : Warning - No client info in response
azure:identity:info ClientSecretCredential => getToken() => SUCCESS. Scopes: https://attest.azure.net/.default.
azure:identity:info EnvironmentCredential => getToken() => SUCCESS. Scopes: https://attest.azure.net/.default.
azure:identity:info ChainedTokenCredential => getToken() => Result for EnvironmentCredential: SUCCESS. Scopes: https://attest.azure.net/.default.
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 0799b3de-d358-4bc1-a992-68d41ed88b18
azure:attestation:info Request: {
  "url": "https://attestation2.eus.attest.azure.net/policies/SgxEnclave?api-version=2020-10-01",
  "headers": {
    "accept": "application/json",
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-attestation/1.0.0 core-rest-pipeline/1.17.0 Node/18.19.1 OS/(x64-Linux-6.8.0-48-generic)",
    "x-ms-client-request-id": "0799b3de-d358-4bc1-a992-68d41ed88b18",
    "authorization": "REDACTED"
  },
  "method": "GET",
  "timeout": 0,
  "disableKeepAlive": false,
  "streamResponseStatusCodes": {},
  "withCredentials": false,
  "tracingOptions": {
    "spanOptions": {},
    "tracingContext": {
      "_currentContext": {}
    }
  },
  "requestId": "0799b3de-d358-4bc1-a992-68d41ed88b18",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:attestation:info Response status code: 401
azure:attestation:info Headers: {
  "content-type": "application/json; charset=utf-8",
  "date": "Mon, 02 Dec 2024 18:30:14 GMT",
  "server": "Kestrel",
  "transfer-encoding": "chunked",
  "www-authenticate": "Bearer authorization_uri=\"https://login.windows.net/ae7eb34a-7a07-4eca-9e58-c4f8f7b63eac\", resource=\"https://attest.azure.net\"",
  "x-ms-request-id": "00-8c0bc06c6b9eca8137a109f0f8d27c5b-0000000000000000-00",
  "x-ms-maa-service-version": "1.11.02831.3112"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 0799b3de-d358-4bc1-a992-68d41ed88b18
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
/home/chris/Documents/MicrosoftAttestation/node_modules/@azure/core-client/dist/commonjs/deserializationPolicy.js:148
    const error = new core_rest_pipeline_1.RestError(initialErrorMessage, {
                  ^

RestError: Access to /policies/SgxEnclave requires a valid JWT bearer token
    at handleErrorResponse (/home/chris/Documents/MicrosoftAttestation/node_modules/@azure/core-client/dist/commonjs/deserializationPolicy.js:148:19)
    at deserializeResponseBody (/home/chris/Documents/MicrosoftAttestation/node_modules/@azure/core-client/dist/commonjs/deserializationPolicy.js:83:45)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'Unauthorized',
  statusCode: 401,
  details: {
    error: {
      code: 'Unauthorized',
      message: 'Access to /policies/SgxEnclave requires a valid JWT bearer token'
    }
  }
}

Node.js v18.19.1

And here is the code i'm running:

const {
  DefaultAzureCredential,
  ClientSecretCredential,
} = require("@azure/identity");
const {
  AttestationClient,
  AttestationAdministrationClient,
  KnownAttestationType,
} = require("@azure/attestation");

const { TokenCredential, isTokenCredential } = require("@azure/core-auth");

const { setLogLevel } = require("@azure/logger");
setLogLevel("info");

const AZURE_CLIENT_ID="[redacted]";
const AZURE_CLIENT_SECRET="[redacted]";
const AZURE_TENANT_ID="[redacted]";
const AAS_URL = "https://attestation2.eus.attest.azure.net/";

async function test_env() {
  const endpoint = AAS_URL;
  const credentials = new ClientSecretCredential(AZURE_TENANT_ID,
    AZURE_CLIENT_ID,
    AZURE_CLIENT_SECRET,
    { authorityHost: AAS_URL },
  );

  const client = new AttestationClient(endpoint, { credentials: credentials });

  // Retrieve the set of attestation policy signers from the attestation client.
  const attestationSigners = await client.getAttestationSigners();
  //console.log("===============================");
  //console.log(attestationSigners);

  const admin_credential = new DefaultAzureCredential();
  const admin_client = new AttestationAdministrationClient(endpoint, admin_credential);

  const policyResponse = await admin_client.getPolicy(
    KnownAttestationType.SgxEnclave,
  );
  console.log("===============================");
  console.log(policyResponse);
}

test_env();