bug: IMDS managed identity token expires_on parsed as RFC3339 instead of Unix timestamp #7309
Description
Describe the bug
When using the azblob backend with Azure Managed Identity (IMDS) authentication, all storage operations fail with:
parse 1774516777 into rfc3339 failed for ParseError(Invalid)
The root cause is in reqsign v0.16.3 (src/azure/storage/loader.rs:84), where the expires_on field from the IMDS token response is parsed using parse_rfc3339(). However, Azure IMDS returns expires_on as a Unix
epoch timestamp string (e.g., "1774516777"), not an RFC3339 date-time string.
The imds_credential.rs file in the same crate even has a comment acknowledging this:
// NOTE: expires_on is a String version of unix epoch time, not an integer.
But loader.rs still passes it to parse_rfc3339().This bug exists in reqsign <= v0.16.5 and has been fixed in reqsign v0.20.0 (https://github.com/Xuanwo/reqsign/blob/v0.20.0/services/azure-storage/src/provide_credential/imds.rs#L56-L63), which correctly parses expires_on as
a Unix timestamp:
let timestamp = token.expires_on.parse::()?;
Timestamp::from_second(timestamp)?
However, OpenDAL v0.55.0 (latest release) still depends on reqsign v0.16.5, so no released OpenDAL version contains the fix.
I see that PR #7226 migrated azblob to reqsign v2 and was merged on 2026-02-26 — but it has not been included in a release yet.
Steps to Reproduce
- Deploy on Azure VM with User-Assigned Managed Identity
- Configure azblob storage backend
- Perform any write operation
- Observe the parse into rfc3339 failed error
Expected Behavior
OpenDAL should correctly parse the IMDS expires_on as a Unix timestamp and successfully authenticate with Azure Blob Storage.
Additional Context
No response
Are you willing to submit a PR to fix this bug?
- Yes, I would like to submit a PR.