search

Azure / azure-sdk-for-js

This repository is for active development of the Azure SDK for JavaScript (NodeJS & Browser). For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/javascript/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-js.
MIT License
2.09k stars 1.2k forks source link

Network error when authenticating using `DefaultAzureCredential` #30991

Open npitsillos opened 2 months ago

npitsillos commented 2 months ago

Describe the bug I get an error stating that @azure/identity fails to acquire token with a network error.

To Reproduce Steps to reproduce the behavior:

  1. I have setup the Service Connector following the tutorial here and then added the following code to my application
export const defaultAzureCredential = new DefaultAzureCredential()

I have also tried it with this

export const defaultAzureCredential = new WorkloadIdentityCredential({
    tenantId: AZURE_TENANT_ID,
    clientId: AZURE_STORAGEBLOB_CLIENTID,
    tokenFilePath: AZURE_FEDERATED_TOKEN_FILE

})

Expected behavior Token is correctly retrieved and can read the contents of storage account.

Screenshots

Listening on http://0.0.0.0:3000
azure:identity:info EnvironmentCredential => Found the following environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET
azure:identity:info EnvironmentCredential => Invoking ClientSecretCredential with tenant ID: 9d8529d6-2b1d-4d52-97c7-5e12ea4302aa, clientId: 179b8a45-5620-495d-91c9-9b080fa24acb and clientSecret: [REDACTED]
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info WorkloadIdentityCredential => Found the following environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE
azure:identity:info WorkloadIdentityCredential => Invoking ClientAssertionCredential with tenant ID: 9d8529d6-2b1d-4d52-97c7-5e12ea4302aa, clientId: 179b8a45-5620-495d-91c9-9b080fa24acb and federated token path: [REDACTED]
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:storage-blob:info RetryPolicy: =====> Try=1 Primary
azure:identity:info ClientSecretCredential => getToken() => Attempting to acquire token using client secret
azure:identity:info ClientSecretCredential => getToken() => Creating new ConfidentialClientApplication with CAE disabled.
azure:identity:info ClientSecretCredential => MSAL Node V2 info message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Info - acquireTokenByClientCredential called
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - initializeRequestScopes called
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : [f2a1d2a5-5694-4be4-88da-c19899fd5d47] : @azure/msal-node@2.12.0 : Verbose - buildOauthClientConfiguration called
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : [f2a1d2a5-5694-4be4-88da-c19899fd5d47] : @azure/msal-node@2.12.0 : Verbose - createAuthority called
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Attempting to get cloud discovery metadata  from authority configuration
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Found cloud discovery metadata from hardcoded values.
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Attempting to get endpoint metadata from authority configuration
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Replacing tenant domain name 9d8529d6-2b1d-4d52-97c7-5e12ea4302aa with id {tenantid}
azure:identity:info ClientSecretCredential => MSAL Node V2 info message: [Wed, 04 Sep 2024 10:12:05 GMT] : [f2a1d2a5-5694-4be4-88da-c19899fd5d47] : @azure/msal-node@2.12.0 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/9d8529d6-2b1d-4d52-97c7-5e12ea4302aa/oauth2/v2.0/token.
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : [f2a1d2a5-5694-4be4-88da-c19899fd5d47] : @azure/msal-node@2.12.0 : Verbose - Client credential client created
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Replacing tenant domain name 9d8529d6-2b1d-4d52-97c7-5e12ea4302aa with id {tenantid}
azure:identity:info ClientSecretCredential => MSAL Node V2 verbose message: [Wed, 04 Sep 2024 10:12:05 GMT] : ] : @azure/msal-node@2.12.0 : Verbose - Replacing tenant domain name 9d8529d6-2b1d-4d52-97c7-5e12ea4302aa with id {tenantid}
azure:identity:info ClientSecretCredential => MSAL Node V2 info message: [Wed, 04 Sep 2024 10:12:05 GMT] : [f2a1d2a5-5694-4be4-88da-c19899fd5d47] : @azure/msal-common@14.14.0 : Info - Sending token request to endpoint: https://login.microsoftonline.com/9d8529d6-2b1d-4d52-97c7-5e12ea4302aa/oauth2/v2.0/token
azure:identity:info IdentityUtils => ERROR. Scopes: https://storage.azure.com/.default. Error message: Failed to acquire token: network_error: Network request failed.
azure:identity:info EnvironmentCredential => getToken() => ERROR. Scopes: https://storage.azure.com/.default. Error message: EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. Status code: 400
More details:
network_error: Network request failed.
azure:identity:info ChainedTokenCredential => getToken() => ERROR. Scopes: https://storage.azure.com/.default. Error message: EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. Status code: 400
More details:
network_error: Network request failed.
azure:storage-blob:error RetryPolicy: Caught error, message: EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. Status code: 400
More details:
network_error: Network request failed

Additional context I am not sure if this might be an issue with network in accessing the storage account since Service Connector already addresses that by creating the necessary firewall rules.

image

github-actions[bot] commented 2 months ago

@KarishmaGhiya @maorleger

github-actions[bot] commented 2 months ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

npitsillos commented 2 months ago

@KarishmaGhiya was there any update on this?

KarishmaGhiya commented 12 hours ago

@npitsillos Hello, apologies for not getting back sooner. I am curious what error did you get when you used WorkloadIdentity Credential directly? Also, are you running the code locally or on Azure Kubernetes?

github-actions[bot] commented 11 hours ago

Hi @npitsillos. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

npitsillos commented 2 hours ago

Hello @KarishmaGhiya, I am no longer working on this since I used a connection string for the storage account but I can at least provide you with some info. I was running the code both locally and on AKS. Locally it had no issues but on AKS I was getting the error shown in the logs.

I am not sure if the networking was setup incorrectly could you point me to a more in-depth tutorial on how to achieve this?