search

microsoft / DockerTools

Tools For Docker, including Visual Studio Provisioning and Publishing
Other
173 stars 26 forks source link

ManagedIdentityCredential authentication unavailable #382

Closed BC89 closed 1 year ago

BC89 commented 1 year ago

Greetings,

Yesterday I upgraded to Microsoft Visual Studio Professional 2022 (64-bit) - Preview Version 17.7.0 Preview 1.0 and Azure.Identity 1.9.0 and am now receiving this error locally and in my deployed app in Azure Container App Services. Up until yesterday I was using running fine in both local and in Azure. Previously I was running Azure.Identity 1.9.0+ beta and 17.6+.

I have scrubbed local creds, cache etc and done an az login locally but to no avail.

The added complication is that this app uses Azure Batch and passes the user managed identity to the compute nodes when they are provisioned. The error below is logged from within the compute node as it comes on line. the node itself is a docker image that gets deployed at runtime via the batch SDK. None of that has changed and it was working prior to yesterday. I can drop an issue in Azure Batch but ---very frustratingly--- no one seems home over there and issues just sit.

Thanks!

Unhandled exception. Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)

Content:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://.vault.azure.net/ was not found in the tenant named kcidev. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: e43b9b...\r\nCorrelation ID: 504ffdc2-21....\r\nTimestamp: 2023-05-17 18:24:08Z","error_codes":[500011],"timestamp":"2023-05-17 18:24:08Z","trace_id":"e43b9b90-4e......","correlation_id":"504ffdc2-...","error_uri":"https://eastus.login.microsoft.com/error?code=500011"}

Headers:
Server: IMDS/150.870.65.1000
Date: Wed, 17 May 2023 18:24:07 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 738

- Visual Studio Token provider can't be accessed at .IdentityService/AzureServiceAuth/tokenprovider.json
 ---> System.AggregateException: Multiple exceptions were encountered while attempting to authenticate. (ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)

Content:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://.vault.azure.net/ was not found in the tenant named kcidev. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: e43b9b.....\r\nCorrelation ID: 504ffdc2-2101-4......\r\nTimestamp: 2023-05-17 18:24:08Z","error_codes":[500011],"timestamp":"2023-05-17 18:24:08Z","trace_id":"e43b9b90-4e...","correlation_id":"504ffdc2-2101-.....","error_uri":"https://eastus.login.microsoft.com/error?code=500011"}

Headers:
Server: IMDS/150.870.65.1000
Date: Wed, 17 May 2023 18:24:07 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 738
) (Visual Studio Token provider can't be accessed at .IdentityService/AzureServiceAuth/tokenprovider.json)
 ---> Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)

Content:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://.vault.azure.net/ was not found in the tenant named kcidev. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: e43b9b90....\r\nCorrelation ID: 504ffdc2-2101-4d....\r\nTimestamp: 2023-05-17 18:24:08Z","error_codes":[500011],"timestamp":"2023-05-17 18:24:08Z","trace_id":"e43b9b90-....","correlation_id":"504ffdc2-2....","error_uri":"https://eastus.login.microsoft.com/error?code=500011"}

Headers:
Server: IMDS/150.870.65.1000
Date: Wed, 17 May 2023 18:24:07 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 738

   at Azure.Identity.ImdsManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AppTokenProviderImpl(AppTokenProviderParameters parameters)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.SendTokenRequestToProviderAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
   at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
 ---> (Inner Exception #1) Azure.Identity.CredentialUnavailableException: Visual Studio Token provider can't be accessed at .IdentityService/AzureServiceAuth/tokenprovider.json
 ---> System.IO.DirectoryNotFoundException: Could not find a part of the path '/app/.IdentityService/AzureServiceAuth/tokenprovider.json'.
   at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode, Func`4 createOpenException)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, UnixFileMode openPermissions, Int64& fileLength, UnixFileMode& filePermissions, Func`4 createOpenException)
   at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at System.IO.StreamReader.ValidateArgsAndOpenPath(String path, Encoding encoding, Int32 bufferSize)
   at System.IO.File.ReadAllText(String path, Encoding encoding)
   at Azure.Identity.FileSystemService.ReadAllText(String path)
   at Azure.Identity.VisualStudioCredential.GetTokenProviderContent(String tokenProviderPath)
   --- End of inner exception stack trace ---
   at Azure.Identity.VisualStudioCredential.GetTokenProviderContent(String tokenProviderPath)
   at Azure.Identity.VisualStudioCredential.GetTokenProviders(String tokenProviderPath)
   at Azure.Identity.VisualStudioCredential.GetTokenImplAsync(TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.VisualStudioCredential.GetTokenImplAsync(TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Identity.VisualStudioCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)<---

   --- End of inner exception stack trace ---
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Identity.DefaultAzureCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Kci.RoboFlat.Infrastructure.DependencyInjection.AddInfrastructure(IServiceCollection services, ConfigurationManager configuration) in /src/Models/RoboFlat/Infrastructure/DependencyInjection.cs:line 47
   at Kci.RoboFlat.Presentation.Extensions.ProgramExtensions.ConfigureBuilderAsync(WebApplicationBuilder builder) in /src/Models/RoboFlat/Presentation/Extensions/ProgramExtensions.cs:line 104
   at Program.<Main>$(String[] args) in /src/Models/RoboFlat/Presentation/Program.cs:line 5
BC89 commented 1 year ago

I have resolved this issue. Dumb, dumb here had a pipeline config error that pointed to the wrong repo :) This can be closed.