search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.26k stars 1.93k forks source link

[Identity] App Service Managed Identity is not working in Identity version `1.8.1` #34255

Open vhvb1989 opened 1 year ago

vhvb1989 commented 1 year ago

When using identity version: 1.8.1 https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/CHANGELOG.md#181-2023-03-06, my application running on App-services can't use the DefaultAzureCredential to authenticate with Manage Identity.

Error:

023-03-29T19:08:56.024453161Z   Suppressed: com.azure.identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/environmentcredential/troubleshoot
2023-03-29T19:08:56.024460961Z Managed Identity authentication is not available.
2023-03-29T19:08:56.024464861Z SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
2023-03-29T19:08:56.024484361Z IntelliJ Authentication not available. Please log in with Azure Tools for IntelliJ plugin in the IDE.
2023-03-29T19:08:56.024487961Z AzureCliCredential authentication unavailable. Azure CLI not installed.To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/azclicredential/troubleshoot
2023-03-29T19:08:56.024508261Z Unable to execute PowerShell. Please make sure that it is installed in your systemTo mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azure-identity-java-default-azure-credential-troubleshoot
2023-03-29T19:08:56.024511961Z      ... 80 common frames omitted

Note the: Managed Identity authentication is not available.

Switching back to version 1.8.0 (and below): https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/CHANGELOG.md#180-2023-02-03 fixes the issue and the app works as expected.

My app is using Java-spring auto-config to pull secrets from key vault as application settings with:

# Import KeyVault secrets as properties
spring.cloud.azure.keyvault.secret.property-sources[0].enabled=true
spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=${AZURE_KEY_VAULT_ENDPOINT}

My POM:

<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.7.4</version>
    <relativePath/>
    <!-- lookup parent from repository -->
  </parent>
  <groupId>com.microsoft.azure.simpletodo</groupId>
  <artifactId>simple-todo</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <name>SimpleTodo</name>
  <description>Simple Todo application</description>
  <properties>
    <java.version>17</java.version>
    <maven.compiler.source>${java.version}</maven.compiler.source>
    <maven.compiler.target>${java.version}</maven.compiler.target>
    <springdoc.version>1.6.11</springdoc.version>
    <!-- By default, set to write which formats the code.
        This sample does not include format check failures on CI.
        To see how to enable this, visit https://github.com/HubSpot/prettier-maven-plugin
      -->
    <plugin.prettier.goal>write</plugin.prettier.goal>
  </properties>

  <dependencies>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.data</groupId>
      <artifactId>spring-data-commons</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-data-mongodb</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-devtools</artifactId>
      <scope>runtime</scope>
      <optional>true</optional>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
    </dependency>
    <!--SpringDoc dependencies -->
    <dependency>
      <groupId>org.springdoc</groupId>
      <artifactId>springdoc-openapi-ui</artifactId>
      <version>${springdoc.version}</version>
    </dependency>
    <dependency>
      <groupId>com.fasterxml.jackson.datatype</groupId>
      <artifactId>jackson-datatype-jsr310</artifactId>
    </dependency>
    <dependency>
      <groupId>org.openapitools</groupId>
      <artifactId>jackson-databind-nullable</artifactId>
      <version>0.2.3</version>
    </dependency>
    <!-- Bean Validation API support -->
    <dependency>
      <groupId>jakarta.validation</groupId>
      <artifactId>jakarta.validation-api</artifactId>
    </dependency>
    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
    </dependency>
    <!-- Azure dependencies -->
    <dependency>
      <groupId>com.azure</groupId>
      <artifactId>azure-identity</artifactId>
      <version>1.8.1</version>
    </dependency>
    <dependency>
      <groupId>com.azure.spring</groupId>
      <artifactId>spring-cloud-azure-starter-keyvault-secrets</artifactId>
      <version>4.3.0</version>
    </dependency>
    <dependency>
      <groupId>com.microsoft.azure</groupId>
      <artifactId>applicationinsights-runtime-attach</artifactId>
      <version>3.3.1</version>
    </dependency>
  </dependencies>
  <build>
    <sourceDirectory>src/main/java</sourceDirectory>
    <resources>
      <resource>
        <directory>src/main/resources</directory>
        <filtering>true</filtering>
      </resource>
    </resources>
    <plugins>
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
        <configuration>
          <image>
            <name>azure/azure-dev-todo-java</name>
          </image>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>repackage</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>com.hubspot.maven.plugins</groupId>
        <artifactId>prettier-maven-plugin</artifactId>
        <version>0.16</version>
        <configuration>
          <prettierJavaVersion>1.5.0</prettierJavaVersion>
          <printWidth>125</printWidth>
          <tabWidth>4</tabWidth>
          <useTabs>false</useTabs>
          <ignoreConfigFile>true</ignoreConfigFile>
          <ignoreEditorConfig>true</ignoreEditorConfig>
        </configuration>
        <executions>
          <execution>
            <phase>validate</phase>
            <goals>
              <goal>${plugin.prettier.goal}</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
  <profiles>
    <profile>
      <!-- Profile for generating API from OpenAPI spec. -->
      <id>openapigen</id>
      <build>
        <plugins>
          <plugin>
            <groupId>org.openapitools</groupId>
            <artifactId>openapi-generator-maven-plugin</artifactId>
            <version>6.0.1</version>
            <executions>
              <execution>
                <goals>
                  <goal>generate</goal>
                </goals>
                <configuration>
                  <inputSpec>${project.basedir}/../common/openapi.yaml</inputSpec>
                  <generatorName>spring</generatorName>
                  <output>${project.basedir}</output>
                  <apiPackage>com.microsoft.azure.simpletodo.api</apiPackage>
                  <modelPackage>com.microsoft.azure.simpletodo.model</modelPackage>
                  <supportingFilesToGenerate>ApiUtil.java</supportingFilesToGenerate>
                  <configOptions>
                    <sourceFolder>src/main/java/</sourceFolder>
                    <delegatePattern>false</delegatePattern>
                    <interfaceOnly>true</interfaceOnly>
                    <hideGenerationTimestamp>true</hideGenerationTimestamp>
                    <useTags>true</useTags>
                  </configOptions>
                </configuration>
              </execution>
            </executions>
          </plugin>
          <plugin>
            <groupId>com.hubspot.maven.plugins</groupId>
            <artifactId>prettier-maven-plugin</artifactId>
            <executions>
              <execution>
                <phase>compile</phase>
                <goals>
                  <goal>${plugin.prettier.goal}</goal>
                </goals>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
    </profile>
  </profiles>
</project>

Source code: https://github.com/Azure-Samples/todo-java-mongo/tree/staging/src/api

g2vinay commented 1 year ago

We are working to resolve this issue and will have a fix for it in next week's Identity release

drewpayment commented 1 year ago

Any update on this?

mitchross commented 1 year ago

Having issues with this also!

vhvb1989 commented 1 year ago

@drewpayment @mitchross , have you tried identity version 1.8.2. I was just released (4/10). It should include the fix for managed identity.

@g2vinay I would like to keep this open until this patch goes to version 1.9.0 as that's the one azd is waiting for :)

mitchross commented 1 year ago

@drewpayment @mitchross , have you tried identity version 1.8.2. I was just released (4/10). It should include the fix for managed identity.

@g2vinay I would like to keep this open until this patch goes to version 1.9.0 as that's the one azd is waiting for :)

1.8.2 works. I would strongly suggest unpublishing 1.8.1. This caused over a week of headaches for me.

g2vinay commented 1 year ago

The issue is resolved in v.1.8.2 of azure-identity..

mitchross commented 1 year ago

The BOM still references 1.8.1. Please get a ticket over to the team to update BOM also.

https://central.sonatype.com/artifact/com.azure/azure-sdk-bom/1.2.11

image

makokui commented 1 year ago

This issue still seems to be open, when will the BOM update?

johnathanlaw commented 1 year ago

Latest BOM has the 1.8.2 version 😄 - https://central.sonatype.com/artifact/com.azure/azure-sdk-bom/1.2.12

jklaus commented 10 months ago

@g2vinay I am running version 1.10.0 of Azure.Identity in a .Net 6 API and I am seeing what seems to be the exact same behavior.

f6re97v commented 10 months ago

I am also using 1.10 . connecting via yml configuration, works for service principle but at get following error com.azure.identity.implementation.IdentityClient.lambda$authenticateWithManagedIdentityConfidentialClient$21(IdentityClient.java:526) Microsoft.AppPlatform/Spring/logs Caused by: com.azure.identity.CredentialUnavailableException: Managed Identity authentication is not available. 

azure:
 keyvault:
  enabled: true
  endpoint: https://test.vault.azure.net/
  secret:
    property-sources[0]:
      endpoint: "https://test.vault.azure.net/"
      profile:
        tenant-id: xxxxx
      credential:
        managed-identity-enabled: true
        client-id: xxxxx
pm-nuance commented 8 months ago

Is there any update for including the fix in 1.10 version???

infobrixGit commented 1 month ago

I am using

com.azure.spring spring-cloud-azure-dependencies 5.12.0 pom import

build error

Caused by: com.azure.identity.CredentialUnavailableException: Managed Identity authentication is not available. at com.azure.identity.implementation.IdentityClient.lambda$authenticateWithManagedIdentityConfidentialClient$25(IdentityClient.java:563) at reactor.core.publisher.Mono.lambda$onErrorMap$28(Mono.java:3854)

Is this a known problem ?

tec01 commented 1 day ago

The same it's happening to me with azure-identity version: 1.12.0. Environment variables are defined (MSI_ENDPOINT, MSI_SECRET, AZURE_CLIENT_ID, AZURE_TENANT_ID). The troubleshooting curl command present here returns 'Couldn't connect to server'. However, running a curl targeting the one from localhost curl -v -i "%MSI_ENDPOINT%?resource=https://myStorage.blob.core.windows.net&api-version=2019-08-01" -H "X-IDENTITY-HEADER: %IDENTITY_HEADER%" does return a token. One of the things I did not try is to regenerate the 'system assigned identity', but this could be risky as it could break other things.