AZ CLI run in Docker container on Arc VM cannot use Managed Identity

[bassie1995]

Describe the bug

Using az login to authenticate with a machine's Managed Identity does not work when done within a Docker container on an Arc VM.

However, it works:

• On the Arc VM directly
• On a "normal" Azure VM directly
• On a "normal" Azure VM from within a Docker container

Both Docker containers go to the same endpoint at 169.254.169.254, but on Arc it does not reply. The documentation says to use 127.0.0.1:40342 on Arc, but of course I cannot verify that this (save maybe if I were to do some IP/port NAT magic).

Related command

az login --identity

Or in Python: ManagedIdentityCredential() or DefaultAzureCredential()

Errors

The command failed with an unexpected error. Here is the traceback:
HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))
Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 204, in _new_conn
    sock = connection.create_connection(
        (self._dns_host, self.port),
    ...<2 lines>...
        socket_options=self.socket_options,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 85, in create_connection
    raise err
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 73, in create_connection
    sock.connect(sa)
    ~~~~~~~~~~~~^^^^
ConnectionRefusedError: [Errno 111] Connection refused

Issue script & Debug output

cli.knack.cli: Command arguments: ['login', '--identity', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7ff5e4456840>, <function OutputProducer.on_global_arguments at 0x7ff5e4219120>, <function CLIQuery.on_global_arguments at 0x7ff5e424f2e0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Using packaged command index for profile 'latest'.
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.001         2         8
cli.azure.cli.core: Total (1)                 0.003         2         8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7ff5e3f6d3a0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/root/.azure/commands/2026-06-16.14-03-45.login.207.log'.
az_command_data_logger: command args: login --identity --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7ff5e3fba160>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7ff5e3fba840>, <function register_global_policy_argument.<locals>.add_global_policy_argument at 0x7ff5e3fba980>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7ff5e3fbaa20>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7ff5e3fbaac0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7ff5e42191c0>, <function CLIQuery.handle_query_parameter at 0x7ff5e424f380>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7ff5e3fba8e0>]
cli.azure.cli.core.auth.msal_credentials: ManagedIdentityCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], kwargs={}
msal.managed_identity: Obtaining token via managed identity on Azure VM
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 204, in _new_conn
    sock = connection.create_connection(
        (self._dns_host, self.port),
    ...<2 lines>...
        socket_options=self.socket_options,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 85, in create_connection
    raise err
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 73, in create_connection
    sock.connect(sa)
    ~~~~~~~~~~~~^^^^
ConnectionRefusedError: [Errno 111] Connection refused

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 788, in urlopen
    response = self._make_request(
        conn,
    ...<10 lines>...
        **response_kw,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 493, in _make_request
    conn.request(
    ~~~~~~~~~~~~^
        method,
        ^^^^^^^
    ...<6 lines>...
        enforce_content_length=enforce_content_length,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 500, in request
    self.endheaders()
    ~~~~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/http/client.py", line 1353, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/http/client.py", line 1113, in _send_output
    self.send(msg)
    ~~~~~~~~~^^^^^
  File "/opt/az/lib/python3.13/http/client.py", line 1057, in send
    self.connect()
    ~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 331, in connect
    self.sock = self._new_conn()
                ~~~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 219, in _new_conn
    raise NewConnectionError(
        self, f"Failed to establish a new connection: {e}"
    ) from e
urllib3.exceptions.NewConnectionError: HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/requests/adapters.py", line 645, in send
    resp = conn.urlopen(
        method=request.method,
    ...<9 lines>...
        chunked=chunked,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 842, in urlopen
    retries = retries.increment(
        method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2]
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/retry.py", line 543, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 677, in execute
    raise ex
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 820, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 789, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 335, in __call__
    return self.handler(*args, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/command_modules/profile/custom.py", line 184, in login
    return profile.login_with_managed_identity(
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        client_id=client_id, object_id=object_id, resource_id=resource_id,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        allow_no_subscriptions=allow_no_subscriptions)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/_profile.py", line 265, in login_with_managed_identity
    token = cred.acquire_token(self._arm_scope)[ACCESS_TOKEN]
            ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/auth/msal_credentials.py", line 175, in acquire_token
    result = self._msal_client.acquire_token_for_client(resource=scopes_to_resource(scopes))
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 329, in acquire_token_for_client
    result = _obtain_token(
        self._http_client, self._managed_identity, resource,
    ...<3 lines>...
        client_capabilities=self._client_capabilities,
    )
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 460, in _obtain_token
    return _obtain_token_on_azure_vm(http_client, managed_identity, resource)
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 478, in _obtain_token_on_azure_vm
    resp = http_client.get(
        os.getenv(
    ...<3 lines>...
        headers={"Metadata": "true"},
        )
  File "/opt/az/lib/python3.13/site-packages/msal/individual_cache.py", line 273, in wrapper
    value = function(*args, **kwargs)
  File "/opt/az/lib/python3.13/site-packages/msal/throttled_http_client.py", line 99, in get
    return NormalizedResponse(self.http_client.get(*args, **kwargs))
                              ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 605, in get
    return self.request("GET", url, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 592, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 706, in send
    r = adapter.send(request, **kwargs)
  File "/opt/az/lib/python3.13/site-packages/requests/adapters.py", line 678, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))

cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback:
az_command_data_logger: The command failed with an unexpected error. Here is the traceback:
cli.azure.cli.core.azclierror: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))
Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 204, in _new_conn
    sock = connection.create_connection(
        (self._dns_host, self.port),
    ...<2 lines>...
        socket_options=self.socket_options,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 85, in create_connection
    raise err
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 73, in create_connection
    sock.connect(sa)
    ~~~~~~~~~~~~^^^^
ConnectionRefusedError: [Errno 111] Connection refused

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 788, in urlopen
    response = self._make_request(
        conn,
    ...<10 lines>...
        **response_kw,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 493, in _make_request
    conn.request(
    ~~~~~~~~~~~~^
        method,
        ^^^^^^^
    ...<6 lines>...
        enforce_content_length=enforce_content_length,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 500, in request
    self.endheaders()
    ~~~~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/http/client.py", line 1353, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/http/client.py", line 1113, in _send_output
    self.send(msg)
    ~~~~~~~~~^^^^^
  File "/opt/az/lib/python3.13/http/client.py", line 1057, in send
    self.connect()
    ~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 331, in connect
    self.sock = self._new_conn()
                ~~~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 219, in _new_conn
    raise NewConnectionError(
        self, f"Failed to establish a new connection: {e}"
    ) from e
urllib3.exceptions.NewConnectionError: HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/requests/adapters.py", line 645, in send
    resp = conn.urlopen(
        method=request.method,
    ...<9 lines>...
        chunked=chunked,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 842, in urlopen
    retries = retries.increment(
        method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2]
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/retry.py", line 543, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 677, in execute
    raise ex
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 820, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 789, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 335, in __call__
    return self.handler(*args, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/command_modules/profile/custom.py", line 184, in login
    return profile.login_with_managed_identity(
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        client_id=client_id, object_id=object_id, resource_id=resource_id,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        allow_no_subscriptions=allow_no_subscriptions)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/_profile.py", line 265, in login_with_managed_identity
    token = cred.acquire_token(self._arm_scope)[ACCESS_TOKEN]
            ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/auth/msal_credentials.py", line 175, in acquire_token
    result = self._msal_client.acquire_token_for_client(resource=scopes_to_resource(scopes))
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 329, in acquire_token_for_client
    result = _obtain_token(
        self._http_client, self._managed_identity, resource,
    ...<3 lines>...
        client_capabilities=self._client_capabilities,
    )
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 460, in _obtain_token
    return _obtain_token_on_azure_vm(http_client, managed_identity, resource)
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 478, in _obtain_token_on_azure_vm
    resp = http_client.get(
        os.getenv(
    ...<3 lines>...
        headers={"Metadata": "true"},
        )
  File "/opt/az/lib/python3.13/site-packages/msal/individual_cache.py", line 273, in wrapper
    value = function(*args, **kwargs)
  File "/opt/az/lib/python3.13/site-packages/msal/throttled_http_client.py", line 99, in get
    return NormalizedResponse(self.http_client.get(*args, **kwargs))
                              ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 605, in get
    return self.request("GET", url, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 592, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 706, in send
    r = adapter.send(request, **kwargs)
  File "/opt/az/lib/python3.13/site-packages/requests/adapters.py", line 678, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))
az_command_data_logger: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))
Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 204, in _new_conn
    sock = connection.create_connection(
        (self._dns_host, self.port),
    ...<2 lines>...
        socket_options=self.socket_options,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 85, in create_connection
    raise err
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/connection.py", line 73, in create_connection
    sock.connect(sa)
    ~~~~~~~~~~~~^^^^
ConnectionRefusedError: [Errno 111] Connection refused

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 788, in urlopen
    response = self._make_request(
        conn,
    ...<10 lines>...
        **response_kw,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 493, in _make_request
    conn.request(
    ~~~~~~~~~~~~^
        method,
        ^^^^^^^
    ...<6 lines>...
        enforce_content_length=enforce_content_length,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 500, in request
    self.endheaders()
    ~~~~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/http/client.py", line 1353, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/http/client.py", line 1113, in _send_output
    self.send(msg)
    ~~~~~~~~~^^^^^
  File "/opt/az/lib/python3.13/http/client.py", line 1057, in send
    self.connect()
    ~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 331, in connect
    self.sock = self._new_conn()
                ~~~~~~~~~~~~~~^^
  File "/opt/az/lib/python3.13/site-packages/urllib3/connection.py", line 219, in _new_conn
    raise NewConnectionError(
        self, f"Failed to establish a new connection: {e}"
    ) from e
urllib3.exceptions.NewConnectionError: HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/requests/adapters.py", line 645, in send
    resp = conn.urlopen(
        method=request.method,
    ...<9 lines>...
        chunked=chunked,
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/connectionpool.py", line 842, in urlopen
    retries = retries.increment(
        method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2]
    )
  File "/opt/az/lib/python3.13/site-packages/urllib3/util/retry.py", line 543, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.13/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 677, in execute
    raise ex
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 820, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 789, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/__init__.py", line 335, in __call__
    return self.handler(*args, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.13/site-packages/azure/cli/command_modules/profile/custom.py", line 184, in login
    return profile.login_with_managed_identity(
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        client_id=client_id, object_id=object_id, resource_id=resource_id,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        allow_no_subscriptions=allow_no_subscriptions)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/_profile.py", line 265, in login_with_managed_identity
    token = cred.acquire_token(self._arm_scope)[ACCESS_TOKEN]
            ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/azure/cli/core/auth/msal_credentials.py", line 175, in acquire_token
    result = self._msal_client.acquire_token_for_client(resource=scopes_to_resource(scopes))
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 329, in acquire_token_for_client
    result = _obtain_token(
        self._http_client, self._managed_identity, resource,
    ...<3 lines>...
        client_capabilities=self._client_capabilities,
    )
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 460, in _obtain_token
    return _obtain_token_on_azure_vm(http_client, managed_identity, resource)
  File "/opt/az/lib/python3.13/site-packages/msal/managed_identity.py", line 478, in _obtain_token_on_azure_vm
    resp = http_client.get(
        os.getenv(
    ...<3 lines>...
        headers={"Metadata": "true"},
        )
  File "/opt/az/lib/python3.13/site-packages/msal/individual_cache.py", line 273, in wrapper
    value = function(*args, **kwargs)
  File "/opt/az/lib/python3.13/site-packages/msal/throttled_http_client.py", line 99, in get
    return NormalizedResponse(self.http_client.get(*args, **kwargs))
                              ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 605, in get
    return self.request("GET", url, **kwargs)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 592, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/az/lib/python3.13/site-packages/requests/sessions.py", line 706, in send
    r = adapter.send(request, **kwargs)
  File "/opt/az/lib/python3.13/site-packages/requests/adapters.py", line 678, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F (Caused by NewConnectionError("HTTPConnection(host='169.254.169.254', port=80): Failed to establish a new connection: [Errno 111] Connection refused"))
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7ff5e3f6d620>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 101.173 seconds (init: 0.066, invoke: 101.107)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 8104 in cache file under /root/.azure/telemetry/20260616140526442
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.13/site-packages/azure/cli/telemetry/__init__.py /root/.azure /root/.azure/telemetry/20260616140526442"
telemetry.process: Return from creating process 225
telemetry.main: Finish creating telemetry upload process.

Expected behavior

In a non-Arc Azure VM, the Docker container gets the expected output (az account show) and can then perform operations like logging into ACR.

Environment Summary

azure-cli 2.87.0

core 2.87.0
telemetry 1.1.0

Dependencies:
msal 1.36.0
azure-mgmt-resource 24.0.0

Python location '/opt/az/bin/python3'
Config directory '/root/.azure'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.13.13 (main, May 26 2026, 06:37:21) [GCC 12.2.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

This also extends to Python applications. It fails quicker, but ManagedIdentityCredential() also gets "no response from the IMDS endpoint".

[yonzhan]

Thank you for opening this issue, we will look into it.