Closed razhan88 closed 8 months ago
Thank you for your feedback. Tagging and routing to the team member best able to assist.
Hi @razhan88 -
How is your code getting the configuration for which clientId to pass to the ManagedIdentityCredential
? Is it possible that it always gets clientId 1?
We could also look at enabling logging to validate which clientId is being sent to the managed identity endpoint.
Details on how to enable logging can be found here.
Hi @razhan88. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Hi @christothes, I have kusto log that logs the client id right before creating the ManagedIdentityCredential. And the client id matches with the second one
Thanks - Let's see what the Azure.Identify logging shows.
Hi @razhan88. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Btw, do we have to set the user-assigned managed identity in the vmss? I was running down a list of things that might be defaulting back to default msi
Update: after adding the user-assigned managed identities in the vmss on top of Applicationmanifest.xml and ServiceManifest.xml as per Deploy app with a user-assigned managed identity - Azure Service Fabric | Microsoft Learn., we are still getting the default managed identity. We confirmed with our own logging that client id is the correct one right before sending it off to Azure.Idendity sdk.
@christothes hope this information is adequate to figure out what might be wrong or what I might need to check going forward.
Looking at the Service Fabric REST API docs, their managed identity endpoint doesn't accept a clientId value.
I believe the managed identity is configured at the resource level for Service Fabric, and the environment variables created by the node determine how to map to that identity.
So, in summary, the resource must be configured for which managed identity will be utilized, and this is not configurable at runtime by the credential
Hi @razhan88. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.
Hi @razhan88, since you haven’t asked that we /unresolve
the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve
to reopen the issue.
Library name and version
Azure.Identity Version="1.10.4"
Query/Question
I have a service fabric app with an existing user assigned managed identity, and I have added one more. I was able to create those two msi via arm templates without any issues. Now in my code, I am using ManagedIdentityCredential(clientId, options: null) and passing the correct clientId for the new msi but I am getting back the default msi. It looks like it is ignoring clientId altogether.
ApplicationManifest.xml - I added this to all the service packages that require it.
In the ApplicationManifext.xml, I also have the Principals section
ServiceManifest.xml for each package
It looks like AssignedIdentity1 is always returned by the ManagedIdentityCredential. Any ideas what I might be missing?
Environment
.NET SDK: Version: 7.0.404