yar-shukan
commented
4 years ago @jsquire , @schaabs could you provide any update on this issue please? I think having steps above this should be easy to reproduce. Thanks!
Closed yar-shukan closed 4 years ago
yar-shukan
commented
4 years ago @jsquire , @schaabs could you provide any update on this issue please? I think having steps above this should be easy to reproduce. Thanks!
schaabs
commented
4 years ago @yar-shukan Thanks for filing this issue. In order to use a user assigned identity with the DefaultAzureCredential you must specify the client id of the user assigned identity. You can do this either by passing it in code via DefaultAzureCredentialOptions.ManagedIdentityClientId like so:
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = "<your client id>" });Alternatively you can also specify the client id to be used via the AZURE_CLIENT_ID environment variable.
Unfortunately, even if there is only one user assigned identity you need to specify it via one of these mechanisms. The ManagedIdentityCredential must pass the client id when making requests to the managed identity endpoint, and I'm not aware of any way to query what identities are available. I'm closing this issue as I don't believe there is anything more the DefaultAzureCredential could do to authenticate without be explicitly provided the client id. If you disagree please feel free to reopen.
yar-shukan
commented
4 years ago @schaabs thank you for the hint with AZURE_CLIENT_ID environment variable: it fixes the issue.
davidallyoung
commented
4 years ago Is the use of AZURE_CLIENT_ID in this way documented officially? The main places I've found it are always in context of EnvironmentVariableCredential along with a tenant and secret, which we're not using. I found it here and it has really helped, but I feel like it should be available in documentation (if it is I just missed it, my bad!). It's a pretty critical piece to successfully deploying with User MSI (which is super awesome, our team is in love).
I'd like to suggest perhaps this gets added somehow to the table located here https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/README.md#credentials . More than happy to open a PR for this should it be helpful.
ChrisFulstow
commented
4 years ago Agree with @davidallyoung it'd be great to highlight this in the documentation. Here is the only reference I found to using AZURE_CLIENT_ID for user-assigned managed identity, I also assumed it'd pick up the client ID from my Azure Function's identity configuration.
NickDarvey
commented
4 years ago I've been using the method described by @schaabs with my user-assigned identity:
Alternatively you can also specify the client id to be used via the AZURE_CLIENT_ID environment variable.
with this in my startup code:
var creds = new DefaultAzureCredential();However, after two-in-every-forty deploys, when the app restarts, I have started getting:
Azure.Identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.and then it won't work again until a few more restarts.
I'm currently digging through the Azure.Identity code and trying a few things, will open a new issue if I find anything useful — just thought I ought to post here as a warning. (Like @ChrisFulstow mentioned, this is the only documentation I found when looking how to set this up.)
Edit: I don't know if this was it, but I upgraded Azure.Identity from 1.1.1 to 1.2.0-preview.6 and it started working again...
Edit: Nope. Still randomly happens after my app restarts. Another restart or two makes it work.
erwinkramer
commented
3 years ago @NickDarvey I've experienced something similar. My issue was the app settings, which swapped slots in my case. I put the AZURE_CLIENT_ID setting only in the production slot as part if my ARM tempalte, but that doesn't guarantee it will stay in that slot when you swap it of course.
DefaultAzureCredential doesn't work in Azure App Service with default single User Assigned Managed Identity
TLDR: Web app is deployed as Azure App Service, targets full .NET Framework 4.7.2 and uses MicrosoftConfigurationBuilders package to get config values/secrets from Azure App Configuration. This package does this in order to connect to Azure App Configuration. This works fine when App Service uses
System Assigned Managed Identitybut fails with 400 BadRequest when singleUser Assigned Managed Identityis used.Expected behavior
DefaultAzureCredentialdetermines that there's noSystem Assignedidentity, but there's singleUser Assignedidentity and uses that one. No exception.Actual behavior (include Exception or Stack Trace)
To Reproduce Please download the .zip from here, open in VS 2019 .sln (you can use this as part of repro steps)that can be used as repro:
Expected: No issues, configuration is retrieved successfully when using single User Managed Identity
Actual: See exception above.
Environment:
See also: https://github.com/aspnet/MicrosoftConfigurationBuilders/issues/119