search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.25k stars 4.58k forks source link

ManagedIdentityCredential giving back default msi in my service fabric app #40765

Closed razhan88 closed 8 months ago

razhan88 commented 8 months ago

Library name and version

Azure.Identity Version="1.10.4"

Query/Question

I have a service fabric app with an existing user assigned managed identity, and I have added one more. I was able to create those two msi via arm templates without any issues. Now in my code, I am using ManagedIdentityCredential(clientId, options: null) and passing the correct clientId for the new msi but I am getting back the default msi. It looks like it is ignoring clientId altogether.

ApplicationManifest.xml - I added this to all the service packages that require it.

<Policies>
      <IdentityBindingPolicy ServiceIdentityRef="AssignedIdentity1" ApplicationIdentityRef="[ManagedIdentityName1]" />
      <IdentityBindingPolicy ServiceIdentityRef="AssignedIdentity2" ApplicationIdentityRef="[ManagedIdentityName2]" />
</Policies>

In the ApplicationManifext.xml, I also have the Principals section

  <Principals>
    <ManagedIdentities>
      <ManagedIdentity Name="[ManagedIdentityName1]" />
      <ManagedIdentity Name="[ManagedIdentityName2]" />
    </ManagedIdentities>
  </Principals>

ServiceManifest.xml for each package

    <ManagedIdentities DefaultIdentity="AssignedIdentity1">
      <ManagedIdentity Name="AssignedIdentity1" />
      <ManagedIdentity Name="AssignedIdentity2" />
    </ManagedIdentities>

It looks like AssignedIdentity1 is always returned by the ManagedIdentityCredential. Any ideas what I might be missing?

Environment

.NET SDK: Version: 7.0.404

jsquire commented 8 months ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

christothes commented 8 months ago

Hi @razhan88 - How is your code getting the configuration for which clientId to pass to the ManagedIdentityCredential? Is it possible that it always gets clientId 1?

We could also look at enabling logging to validate which clientId is being sent to the managed identity endpoint.

Details on how to enable logging can be found here.

github-actions[bot] commented 8 months ago

Hi @razhan88. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

razhan88 commented 8 months ago

Hi @christothes, I have kusto log that logs the client id right before creating the ManagedIdentityCredential. And the client id matches with the second one

christothes commented 8 months ago

Thanks - Let's see what the Azure.Identify logging shows.

github-actions[bot] commented 8 months ago

Hi @razhan88. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

razhan88 commented 8 months ago

Btw, do we have to set the user-assigned managed identity in the vmss? I was running down a list of things that might be defaulting back to default msi

Configure template to use managed identities on virtual machine scale sets - Microsoft Entra ID | Microsoft Learn

razhan88 commented 8 months ago

Update: after adding the user-assigned managed identities in the vmss on top of Applicationmanifest.xml and ServiceManifest.xml as per Deploy app with a user-assigned managed identity - Azure Service Fabric | Microsoft Learn., we are still getting the default managed identity. We confirmed with our own logging that client id is the correct one right before sending it off to Azure.Idendity sdk.

@christothes hope this information is adequate to figure out what might be wrong or what I might need to check going forward.

christothes commented 8 months ago

Looking at the Service Fabric REST API docs, their managed identity endpoint doesn't accept a clientId value.

I believe the managed identity is configured at the resource level for Service Fabric, and the environment variables created by the node determine how to map to that identity.

So, in summary, the resource must be configured for which managed identity will be utilized, and this is not configurable at runtime by the credential

github-actions[bot] commented 8 months ago

Hi @razhan88. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

github-actions[bot] commented 8 months ago

Hi @razhan88, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.