Open jsquire opened 3 months ago
@jsquire is this related to? https://github.com/Azure/azure-functions-host/issues/8037 I just wasted over 8 hours debugging why my user-assigned identity does not have permissions, until I "randomly" stumbled up on this.
As mentioned, I need to set the property managedIdentityClientId
or AZURE_CLIENT_ID
variable to use the managed identity.
IMO I'd have much better dev experience if I did not need to fiddle with any environment variables or anything during new identity.DefaultAzureCredential
. Having written over a thousand AWS Lambdas and GCP functions, I expected the environment to contain all necessary data so that the SDK could "just work".
I'd expect the requirement to set the variable only in case, there is more than one identity assigned and the ability to retrieve the necessary IDs from the runtime, similarly to https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows.
PS. In case this is not the right place, please redirect me.
@1oglop1 : You'll need to address that question to a member of the Functions team, who own the Functions host environment. This is the correct repository for those conversations, which is why I transferred this issue here.
Issue Transfer
This issue has been transferred from the Azure SDK for .NET repository, #44693.
Please be aware that @nols-neulsen is the author of the original issue and include them for any questions or replies.
Azure SDK triage
The error indicates that the local managed identity endpoint on the host is unavailable or inaccessible to HTTP traffic when the application starts running and the Identity library attempts to acquire a token. This is not something that the credential or the application has insight into nor influence over. This requires investigation of host environment.
Details
Describe the bug
I have a Windows hosted Function App (Consumption plan) with a single HTTP trigger function. This function will initialize an ArmClient, using ManagedIdentityCredential, to spawn Container App Jobs. From a test (902 invocations) this function only succeeds 84% of the time, the other 16% fails due to Azure.Identity.CredentialUnavailableException. Running locally, everything works 100% of the time if I provide a AzureCliCredential, VisualStudioCredential (with Sync is active) seems to also not work all the time.
Function App:
Packages:
User Assigned Managed Identity role assignments:
Code:
Error:
Expected behavior
Retrieving the credential succeeds 100%
Actual behavior
In 16% of the cases the execution fails due to Azure.Identity.CredentialUnavailableException
Reproduction Steps
Hosting info and code provided in bug description