Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User Managed Identity unable to get tokens - Unable to load the proper Managed Identity #442

Closed
1 of 3 tasks
benc-uk opened this issue Oct 8, 2022 · 8 comments
Closed
1 of 3 tasks
Labels
Needs: triage 🔍 Pending a first pass to read, tag, and assign

Comments

@benc-uk
Copy link

benc-uk commented Oct 8, 2022

Please provide us with the following information:

This issue is a: (mark with an x)

  • bug report -> please search issues before submitting
  • documentation issue or request
  • regression (a behavior that used to work and stopped in a new release)

Issue description

Assigning a User Managed Identity doesn't work, and the container can not get tokens from the IMDS endpoint when using the SDKs
NOTE. Switching to System Managed Identity the problem immediately goes away

Steps to reproduce

  1. Create container app
  2. Assign user managed identity
  3. Attempt to get a token using the Azure SDKs and DefaultAzureCredential

Expected behavior [What you expected to happen.]

  • Tokens are returned

Actual behavior [What actually happened.]

Error output from the Azure SDK for Go

2022-10-08T15:33:53.307692258Z =====> Try=1 GET http://localhost:42356/msi/token?api-version=2019-08-01&resource=https%3A%2F%2Fstorage.azure.com
2022-10-08T15:33:53.307698750Z [Oct  8 15:33:53.307585] Request: ==> OUTGOING REQUEST (Try=1)
2022-10-08T15:33:53.307703770Z    GET http://localhost:42356/msi/token?api-version=2019-08-01&resource=REDACTED
2022-10-08T15:33:53.307708058Z    User-Agent: azsdk-go-azidentity/v1.1.0 (go1.18.7; linux)
2022-10-08T15:33:53.307712436Z    X-Identity-Header: REDACTED
2022-10-08T15:33:53.307716444Z 
2022-10-08T15:33:54.687832767Z [Oct  8 15:33:54.687728] Response: ==> REQUEST/RESPONSE (Try=1/1.380095619s, OpTime=1.380112721s) -- RESPONSE RECEIVED
2022-10-08T15:33:54.687862903Z    GET http://localhost:42356/msi/token?api-version=2019-08-01&resource=REDACTED
2022-10-08T15:33:54.687870788Z    User-Agent: azsdk-go-azidentity/v1.1.0 (go1.18.7; linux)
2022-10-08T15:33:54.687876659Z    X-Identity-Header: REDACTED
2022-10-08T15:33:54.687881618Z    --------------------------------------------------------------------------------
2022-10-08T15:33:54.687886597Z    RESPONSE Status: 400 Bad Request
2022-10-08T15:33:54.687891987Z    Content-Type: application/json; charset=utf-8
2022-10-08T15:33:54.687896265Z    Date: Sat, 08 Oct 2022 15:33:54 GMT
2022-10-08T15:33:54.687899191Z    Server: Kestrel
2022-10-08T15:33:54.687901846Z    X-Correlation-Id: REDACTED
2022-10-08T15:33:54.687904310Z 
2022-10-08T15:33:54.687906995Z [Oct  8 15:33:54.687754] Retry: response 400
2022-10-08T15:33:54.688526711Z [Oct  8 15:33:54.687804] Retry: error DefaultAzureCredential authentication failed
2022-10-08T15:33:54.688542120Z GET http://localhost:42356/msi/token
2022-10-08T15:33:54.688548011Z --------------------------------------------------------------------------------
2022-10-08T15:33:54.688552580Z RESPONSE 400 Bad Request
2022-10-08T15:33:54.688557018Z --------------------------------------------------------------------------------
2022-10-08T15:33:54.688562288Z {
2022-10-08T15:33:54.688567508Z   "statusCode": 400,
2022-10-08T15:33:54.688572527Z   "message": "Unable to load the proper Managed Identity.",
2022-10-08T15:33:54.688588918Z   "correlationId": "cbd25d94-dea8-4ebf-b3f4-b83d715c6e75"
2022-10-08T15:33:54.688594128Z }
2022-10-08T15:33:54.688599468Z --------------------------------------------------------------------------------
2022-10-08T15:33:54.688604317Z 
2022-10-08T15:33:54.688610027Z [Oct  8 15:33:54.687822] Retry: non-retriable error *azidentity.AuthenticationFailedError

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

N/A

@ghost ghost added the Needs: triage 🔍 Pending a first pass to read, tag, and assign label Oct 8, 2022
@benc-uk
Copy link
Author

benc-uk commented Oct 8, 2022

Raised in error

Once I switched to NewManagedIdentityCredential and told it which User Identity to use it worked

@benc-uk benc-uk closed this as completed Oct 8, 2022
@cwe1ss
Copy link

cwe1ss commented Oct 8, 2022

It does work with DefaultAzureCredential if you set the AZURE_CLIENT_ID environment variable.

See here for more details: #325 (comment)

@benc-uk
Copy link
Author

benc-uk commented Oct 24, 2022

Yes that would also be a fix, but it varies from SDK to SDK

In my case with Go, that AZURE_CLIENT_ID is checked, but other SDKs provide different routes to specify it

@arkiaconsulting
Copy link

This works for me with Azure.Identity 1.9.0, and setting explicitly the Managed Identity client ID to use (because it's a User Managed Identity). Depending on the time when you need these credential, you may source the setting from environment variables instead of from IConfiguration.

var getRuntimeAzureCredentials = () => new ManagedIdentityCredential(Environment.GetEnvironmentVariable("AZURE_CLIENT_ID"));

@AndreaPic
Copy link

AZURE_CLIENT_ID
Using AZURE_CLIENT_ID and User assigned managed identities work for me too, but I don't like to add this configuration. I would use User assigned managed identities without any configurations.
I'm using:
"Azure.Identity" Version="1.9.0"
"Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.2.2"

@sec
Copy link

sec commented Nov 6, 2023

We're also facing the same issue - was this fixed somehow becuase issue is closed?

@Kirankumar-thamatam
Copy link

Kirankumar-thamatam commented Nov 8, 2023

I tried all the mentioned solutions/answers, it didn't work for me, tried below solutions

  1. DefaultAzureCredential if you set the AZURE_CLIENT_ID environment variable.
  2. new ManagedIdentityCredential(Environment.GetEnvironmentVariable("AZURE_CLIENT_ID"));

@fvilches17
Copy link

The reasons for this issue are multiple, but if it helps anyone, this was my case:

I was using a UserAssignedIdentity + DefaultAzureCredential(), which under the hood chooses the ManagedIdentity provider when running in the context of an Azure resource (in my case, FunctionApp).

Before

var tokenCredential = new DefaultAzureCredential();

// rest of code ...

After

var defaultCredentialOptions = new DefaultAzureCredentialOptions { ManagedIdentityClientId = "<guid of my user assigned identity's client id>" };

var tokenCredential = new DefaultAzureCredential(defaultCredentialOptions);

// rest of code ...

Reason: looks like because one or more UserAssignedIdentity can be assigned to an Azure Resource, we have to be explicit about which one to use.

Hope this helps someone.

Jandev added a commit to Jandev/auth-with-obo that referenced this issue Sep 17, 2024
arealmaas added a commit to Altinn/dialogporten that referenced this issue Oct 16, 2024
<!--- Provide a general summary of your changes in the Title above -->

## Description

- Add AZURE_CLIENT_ID because it is needed when using user assigned
identities: microsoft/azure-container-apps#442

<!--- Describe your changes in detail -->

## Related Issue(s)

- #{issue number}

## Verification

- [ ] **Your** code builds clean without any errors or warnings
- [ ] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
	- Introduced a managed identity for secure access to Azure resources.
- Updated environment variable configuration to include
`AZURE_CLIENT_ID` for enhanced security.
  
- **Improvements**
- Restructured managed identity usage for better resource management and
permissions.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs: triage 🔍 Pending a first pass to read, tag, and assign
Projects
None yet
Development

No branches or pull requests

7 participants