Cannot authenticate using DefaultAzureCredential when running in container

[jongeorge1]

See corresponding issue here: https://github.com/Azure/azure-sdk-for-net/issues/19167

When developing an app that is intended to use a managed identity when hosted in Azure, it's common practice to use the Azure.Identity DefaultAzureCredential class for authentication (https://docs.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet). This attempts to use a variety of credential types in order. In local development, (assuming you haven't provided credentials via environment variables) it will fall back to using the credentials you're signed into VS/VSCode using, then to the Azure CLI, Powershell, etc. When running in the cloud it will use the configured Managed Identity for the service.

However, when running in a container the DefaultAzureCredential isn't able to use any of those authentication mechanisms except for the EnvironmentCredential. It was possible for a while to install the Azure CLI tools inside the container, then mount ~/.azure:/root/.azure to share the Azure CLI token between the host and the container, but this no longer works (see the later replies in the link at the start of this issue).

This only leaves the environment variable option for authentication, meaning that it's necessary to set up a service principal and pass in the app Id and secret as environment variables when the container starts up. This is clearly not ideal, as it adds significant overhead to manage those applications and secrets for a dev team.

The ideal behaviour would be for the app to behave in the container as it does when running directly on the host, i.e. using credentials from VS/VSCode.

[johnib]

Any news on that?

[NCarlsonMSFT]

Using the new Azure.Identity 1.9.0-beta.2 and Visual Studio 2022 17.6 Preview 1 the VisualStudioCredential should now work when using Visual Studio to Launch a .NET Core project in a Windows or Linux container.

[vitor-baptista-vfx]

@NCarlsonMSFT I've successfully authenticated with DefaultAzureCredential using Azure.Identity 1.9.0 and VS 2022 17.6.2, when using mcr.microsoft.com/dotnet/aspnet:7.0 and mcr.microsoft.com/dotnet/aspnet:7.0-jammy as base image. Although, when using mcr.microsoft.com/dotnet/aspnet:7.0-alpine, I get the following error: Visual Studio Token provider can't be accessed at /root/.IdentityService/AzureServiceAuth/tokenprovider.json

By enabling Container Tools logs, I've seen the following error there:

{
  "timestamp": "2023-05-29 22-57-43.340",
  "message": "Proxy Listener: Failed to parse token request"
}
{
  "timestamp": "2023-05-29 22-57-43.343",
  "message": "Writing to proxy: {\"ClassName\":\"Newtonsoft.Json.JsonReaderException\",\"Message\":\"Unexpected character encountered while parsing value: O. Path '', line 0, position 0.\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":\"   at Newtonsoft.Json.JsonTextReader.ParseValue()\\r\\n   at Newtonsoft.Json.Linq.JObject.Load(JsonReader reader, JsonLoadSettings settings)\\r\\n   at Newtonsoft.Json.Linq.JObject.Parse(String json, JsonLoadSettings settings)\\r\\n   at Microsoft.VisualStudio.Containers.Tools.Common.Debugging.TokenProxyService.TokenProxyLogger.LogMessage(String message)\",\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":\"8\\nParseValue\\nNewtonsoft.Json, Version=13.0.3.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed\\nNewtonsoft.Json.JsonTextReader\\nBoolean ParseValue()\",\"HResult\":-2146233088,\"Source\":\"Newtonsoft.Json\",\"WatsonBuckets\":null}"
}

[vitor-baptista-vfx]

Regarding my previous message, I've just tried with VS 17.7.0 Preview 1.0 and it works fine with alpine, I guess this is something that was fixed meantime while preparing next VS version.

[NCarlsonMSFT]

@vitor-baptista-vfx you are correct the initial implementation had a bug for alpine that has been fixed in 17.7

[ggirard07]

I am probably in wrong thread... but I have an issue that involve the same set of file mentioned here... wondering if this could be all related...

I have a project in my solution that keeps creating a file at path {ProjectDir\}.IdentityService\AzureServiceAuth\tokenprovider.json every time I start a docker compose debug. The same file is not created when debugging the project directly without using Docker tooling. Is this a new behavior related to mentioned feature? Any idea why it is happening for just one of projects part of same solution?

[danegsta]

@ggirard07 that file is related to the recently added support for DefaultAzureCredential authentication when debugging a container project in VS; can you open a new issue and I can help you troubleshoot there? This is likely due to your project being read/write volume mounted to the same location as we are volume mounting the required service to support DefaultAzureCredential, but I'll need some additional info about your docker-compose config to be sure.

[anotherRedbeard]

@NCarlsonMSFT, should this be working with VSCode as well? I'm using Azure.Identity 1.10.0 and my dockerfile is using mcr.microsoft.com/dotnet/sdk:7.0 as my build layer, but I'm getting the error that I can't get a token using DefaultCredential.

An exception of type 'Azure.Identity.CredentialUnavailableException' occurred in System.Private.CoreLib.dll but was not handled in user code: 'DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
- WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
- Visual Studio Token provider can't be accessed at /home/appuser/.IdentityService/AzureServiceAuth/tokenprovider.json
- Azure CLI not installed
- PowerShell is not installed.
- Azure Developer CLI could not be found.'
 Inner exceptions found, see $exception in variables window for more details.
 Innermost exception     Azure.Identity.CredentialUnavailableException : EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot

[NCarlsonMSFT]

@anotherRedbeard this is only supported for Visual Studio

[NCarlsonMSFT]

Closing as this shipped in 17.6

[ChrisCalzaretta]

Having this same issue with net 8 FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build An exception was thrown attempting to execute the error handler. 2024-06-25 17:49:28 Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot 2024-06-25 17:49:28 - EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot 2024-06-25 17:49:28 - WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot 2024-06-25 17:49:28 - Managed Identity response was not in the expected format. See the inner exception for details. 2024-06-25 17:49:28 - Visual Studio Token provider can't be accessed at /root/.IdentityService/AzureServiceAuth/tokenprovider.json

Can anyone give me a hand with this?

[NCarlsonMSFT]

@ChrisCalzaretta please open a new issue. You may be able to get more information by reading these docs. Of particular noter is the environment variable to enable logging that will indicate if something is happening to the token proxy.