search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.26k stars 21.43k forks source link

Cannot log in with System Assigned Managed Identity #120133

Closed OlaDecisive closed 8 months ago

OlaDecisive commented 8 months ago

When trying to authenticate with a system assigned managed identity, I get this error message: connection failed: FATAL: Service Principals cannot generate AAD_AUTH_TOKENTYPE_APP_USER tokens for role[<role name>]

The system assigned managed identity is set up on a webapp resource, and in my PostgreSQL flexible server resource I have added the identity to the Microsoft Entra Admins section on the Authentication page.

I run export PGPASSWORD=`curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fossrdbms-aad.database.windows.net&client_id=<SystemAssignedManagedIdentityId>' -H Metadata:true | jq -r .access_token`

to get the access token, and then

psql -h <database name>.postgres.database.azure.com --user <webapp name>

to try to log in, but I get the connection failed: FATAL: Service Principals cannot generate AAD_AUTH_TOKENTYPE_APP_USER tokens for role[<role name>] error message.

I have tried to add a regular admin user to the Microsoft Entra Admins in PostgreSql Authentication page, when using the id of that user the above method to login works fine.

When logged in, I have verified with select * from pgaadauth_list_principals(true); that the system assigned managed identity is added to the PostgreSQL server.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

AjayBathini-MSFT commented 8 months ago

@OlaDecisive Thanks for your feedback! We will investigate and update as appropriate.

RamanathanChinnappan-MSFT commented 8 months ago

@OlaDecisive Since this issue isn't directly related to improving our docs, and to gain a better understanding of your issue, I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.

[Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows. [Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1

OlaDecisive commented 7 months ago

Turns out I generated the access token in the Azure Portal Cloud Shell, in other words in the context of my user logged into Azure Portal, and not in the context of the System Assigned Managed Identity.

This access token, while valid, cannot be used to authenticate Service Principals in Postgres.

When SSH'ing into the VM, I could generate the access token in the context of the System Assigned Managed Identity, and with this I managed to log into the Postgres server.

In the 'Retrieve the access token from the Azure Instance Metadata service' section you might want to clarify which context should be used, i.e. the VM shell and not the Cloud Shell.

SeaDude commented 2 months ago

I came across the same thing when using DefaultAzureCredential() while testing locally. DefaultAzureCredential() grabs my cached User Principal credentials from VS Code but I used a Managed Identity user name.

Net effect was:

Changing to: