search

Azure / Microsoft.Azure.StackExchangeRedis

Azure-specific wrapper for the StackExchange.Redis client library
MIT License
17 stars 14 forks source link

Authentication Failure reported when using user assigned managed identity in non-Microsoft tenant #40

Closed junshi356 closed 11 months ago

junshi356 commented 11 months ago

Hi, does this extension support using UAMI in another tenant connecting to redis cache in the same tenant? I'm trying to switch to managed identity, but it seemed not working. (I've attached a snapshot and code snippet below)

I looked into source code in this repo and found that if I use ConfigureForAzureWithUserAssignedManagedIdentityAsync to configure connection, seems it will connect to EntraID in Microsoft tenant to get token instead of connecting to EntraID in UAMI's tenant. I've configured the 'Data Access Configuration', but it didn't work.

Do you have any idea about this auth failure? If ConfigureForAzureWithUserAssignedManagedIdentityAsync can't work with other tenants, do you have any workaround? (Assigning ServicePrincipalTenantId to AzureCacheOptions seems not working, because it requires me to pass principal secret or cert to the extension method.)

image

We use code like below to connect to Redis, where we have loaded appsettings into azureConfig variable:

    var redisCacheHost = $"{azureConfig.RedisCache}.redis.cache.windows.net";
    var clientID = azureConfig.ManagedIdentityClientID;
    var principalID = azureConfig.ManagedIdentityPrincipalID;

    var redisConfigurationOptions = ConfigurationOptions.Parse($"{redisCacheHost}:6380")
        .ConfigureForAzureWithUserAssignedManagedIdentityAsync(clientID, principalID).Result;

    redisConfigurationOptions.Ssl = true;
    redisConfigurationOptions.AllowAdmin = false;
    redisConfigurationOptions.AbortOnConnectFail = false;
    redisConfigurationOptions.ConnectRetry = azureConfig.RetryCount;

    ConnectionMultiplexer.ConnectAsync(redisConfigurationOptions).Result;
philon-msft commented 11 months ago

No, Microsoft Entra Managed Identities don't support cross-tenant access: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant

junshi356 commented 11 months ago

Hi, @philon-msft. I didn't mean cross-tenant access. My Azure Redis Service and the managed identity are inside same tenant, but that tenant isn't MSFT tenant (microsoft.onmicrosoft.com). how should I use this extension package?

philon-msft commented 11 months ago

Is the client app running in an Azure resource (e.g. a VM) in the same tenant?

junshi356 commented 11 months ago

@philon-msft yes. It's an app service running in the same tenant.