Describe the bug
We're trying to use vault-agent as a sidecar container with Azure Container Instances with a User-assigned Managed Identity (for authentication/certification management) however, the vault-agent hits the Azure IMDS endpoint (http://169.254.169.254/metadata/instance) which we understand is meant only for VMs and hence encounters a 404 during it's agent initialization.
To Reproduce
Deploy an Azure Container Instance (multi container) using a YAML Manifest:
==> Note: Vault Agent version does not match Vault server version. Vault Agent version: 1.13.1, Vault server version: 1.13.0
==> Vault Agent started! Log data will stream in below:
==> Vault Agent configuration:
Api Address 1: http://0.0.0.0:8200
Cgo: disabled
Log Level:
Version: Vault v1.13.1, built 2023-03-23T12:51:35Z
Version Sha: 4472e4a3fbcc984b7e3dc48f5a8283f3efe6f282
2023-04-07T20:28:49.086Z [INFO] agent.sink.file: creating file sink
2023-04-07T20:28:49.090Z [INFO] agent.sink.file: file sink configured: path=/tmp/sink_file.txt mode=-rw-r--r--
2023-04-07T20:28:49.101Z [INFO] agent.template.server: starting template server
2023-04-07T20:28:49.103Z [INFO] agent.template.server: no templates found
2023-04-07T20:28:49.104Z [INFO] agent.auth.handler: starting auth handler
2023-04-07T20:28:49.104Z [INFO] agent.auth.handler: authenticating
2023-04-07T20:28:49.107Z [INFO] agent.sink.server: starting sink server
2023-04-07T20:28:49.115Z [ERROR] agent.auth.handler: error getting path or data from method:
error=
| error response in metadata from http://169.254.169.254/metadata/instance: 404 page not found
backoff=1s
2023-04-07T20:28:50.116Z [INFO] agent.auth.handler: authenticating
2023-04-07T20:28:50.118Z [ERROR] agent.auth.handler: error getting path or data from method:
error=
| error response in metadata from http://169.254.169.254/metadata/instance: 404 page not found
backoff=1.87s
2023-04-07T20:28:51.997Z [INFO] agent.auth.handler: authenticating
2023-04-07T20:28:51.999Z [ERROR] agent.auth.handler: error getting path or data from method:
error=
| error response in metadata from http://169.254.169.254/metadata/instance: 404 page not found
backoff=3.23s
As you can see, the vault-agent attempts to hit the http://169.254.169.254/metadata/instance endpoint and delivers a 404.
Describe the bug We're trying to use
vault-agent
as a sidecar container with Azure Container Instances with a User-assigned Managed Identity (for authentication/certification management) however, thevault-agent
hits the Azure IMDS endpoint (http://169.254.169.254/metadata/instance
) which we understand is meant only for VMs and hence encounters a404
during it's agent initialization.To Reproduce Deploy an Azure Container Instance (multi container) using a YAML Manifest:
containerinstance-manifest.yaml
:vault-agent Dockerfile
:Deploy:
Error: (vault agent logs)
As you can see, the
vault-agent
attempts to hit thehttp://169.254.169.254/metadata/instance
endpoint and delivers a404
.We believe this is the problematic code: https://github.com/hashicorp/vault/blob/main/command/agent/auth/azure/azure.go#L112
Expected behavior
vault agent
should hit themetadata/identity/oauth2/token
endpoint, and perform a successful login.Environment:
vault status
):vault version
):Vault agent configuration file(s):
Additional context