azure-functions-host: "Server failed to authenticate the request" Trouble getting Azure Functions to work with Managed Identity and Key Vault
I have a Functions App that I am migrating from v2 to v4. During the migration I wanted to change from secrets in App Settings to use Key Vault and Managed Identity.
I have followed the guidance that I found in these links as well as others:
- https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob#connecting-to-host-storage-with-an-identity-preview
- https://docs.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial
However, the documentation is a bit confusing to me and while I think I set everything up as needed I am getting the following error.
2022-05-23T20:59:08.377 [Information] Request [846e8f6d-a332-4ff6-ba71-70127eab69d6] GET https://********.queue.core.windows.net/anova-controller-reading-to-process?comp=metadatax-ms-version:2018-11-09Accept:application/xmlx-ms-client-request-id:846e8f6d-a332-4ff6-ba71-70127eab69d6x-ms-return-client-request-id:trueUser-Agent:azsdk-net-Storage.Queues/12.10.0,(.NET 6.0.3; Microsoft Windows 10.0.14393)x-ms-date:Mon, 23 May 2022 20:59:08 GMTAuthorization:REDACTEDclient assembly: Azure.Storage.Queues
2022-05-23T20:59:08.862 [Warning] Error response [c523f72e-f6f2-48f3-b1da-9d3dfb48c575] 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. (01.0s)Server:Microsoft-HTTPAPI/2.0x-ms-request-id:8bcff400-8003-0046-28e7-6e5e1b000000x-ms-error-code:AuthenticationFailedDate:Mon, 23 May 2022 20:59:08 GMTContent-Length:787Content-Type:application/xml
2022-05-23T20:59:08.950 [Error] An unhandled exception has occurred. Host is shutting down.Azure.RequestFailedException : Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.RequestId:8bcff400-8003-0046-28e7-6e5e1b000000Time:2022-05-23T20:59:08.8402781ZStatus: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)ErrorCode: AuthenticationFailedAdditional Information:AuthenticationErrorDetail: The MAC signature found in the HTTP request '4wyyc82uJ/Of1+kDsXMyakzuQ/ABrEDJwrODUVe+B1g=' is not the same as any computed signature. Server used following string to sign: 'GETx-ms-client-request-id:c523f72e-f6f2-48f3-b1da-9d3dfb48c575x-ms-date:Mon, 23 May 2022 20:59:07 GMTx-ms-return-client-request-id:truex-ms-version:2018-11-09/********/aquasolconnect-faults-to-processcomp:metadata'.Content:<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.RequestId:8bcff400-8003-0046-28e7-6e5e1b000000Time:2022-05-23T20:59:08.8402781Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request '4wyyc82uJ/Of1+kDsXMyakzuQ/ABrEDJwrODUVe+B1g=' is not the same as any computed signature. Server used following string to sign: 'GETx-ms-client-request-id:c523f72e-f6f2-48f3-b1da-9d3dfb48c575x-ms-date:Mon, 23 May 2022 20:59:07 GMTx-ms-return-client-request-id:truex-ms-version:2018-11-09/********/aquasolconnect-faults-to-processcomp:metadata'.</AuthenticationErrorDetail></Error>Headers:Server: Microsoft-HTTPAPI/2.0x-ms-request-id: 8bcff400-8003-0046-28e7-6e5e1b000000x-ms-error-code: AuthenticationFailedDate: Mon, 23 May 2022 20:59:08 GMTContent-Length: 787Content-Type: application/xmlat async Azure.Storage.Queues.QueueRestClient.GetPropertiesAsync(Nullable`1 timeout,CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Azure.Storage.Queues.QueueClient.GetPropertiesInternal(Boolean async,CancellationToken cancellationToken,String operationName)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Azure.Storage.Queues.QueueClient.ExistsInternal(Boolean async,CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Azure.Storage.Queues.QueueClient.ExistsAsync(CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Microsoft.Azure.WebJobs.Extensions.Storage.Common.Listeners.QueueListener.ExecuteAsync(CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Microsoft.Azure.WebJobs.Extensions.Storage.Common.Timers.TaskSeriesTimer.RunAsync(CancellationToken cancellationToken)
2022-05-23T21:17:59.416 [Information] Request [ad81b3c8-8e39-43be-b154-9f8f65986ea0] GET https://********.queue.core.windows.net/durable-functions-cleanup?comp=metadatax-ms-version:2018-11-09Accept:application/xmlx-ms-client-request-id:ad81b3c8-8e39-43be-b154-9f8f65986ea0x-ms-return-client-request-id:trueUser-Agent:azsdk-net-Storage.Queues/12.10.0,(.NET 6.0.3; Microsoft Windows 10.0.14393)Authorization:REDACTEDclient assembly: Azure.Storage.Queues
2022-05-23T21:18:00.760 [Warning] Error response [5ee6a228-094f-4658-adf5-119c0083f531] 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. (01.6s)Server:Microsoft-HTTPAPI/2.0x-ms-request-id:fcd53a08-7003-0020-12ea-6e113b000000x-ms-error-code:AuthenticationFailedDate:Mon, 23 May 2022 21:17:59 GMTContent-Length:790Content-Type:application/xml
2022-05-23T21:18:00.863 [Error] An unhandled exception has occurred. Host is shutting down.Azure.RequestFailedException : Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.RequestId:fcd53a08-7003-0020-12ea-6e113b000000Time:2022-05-23T21:18:00.3561769ZStatus: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)ErrorCode: AuthenticationFailedAdditional Information:AuthenticationErrorDetail: The MAC signature found in the HTTP request '6c3hdJnIBhGSciUyDLkL4vmPFQjsnBkGtWgAV2CL9Lg=' is not the same as any computed signature. Server used following string to sign: 'GETx-ms-client-request-id:5ee6a228-094f-4658-adf5-119c0083f531x-ms-date:Mon, 23 May 2022 21:17:59 GMTx-ms-return-client-request-id:truex-ms-version:2018-11-09/********/anova-controller-reading-to-processcomp:metadata'.Content:<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.RequestId:fcd53a08-7003-0020-12ea-6e113b000000Time:2022-05-23T21:18:00.3561769Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request '6c3hdJnIBhGSciUyDLkL4vmPFQjsnBkGtWgAV2CL9Lg=' is not the same as any computed signature. Server used following string to sign: 'GETx-ms-client-request-id:5ee6a228-094f-4658-adf5-119c0083f531x-ms-date:Mon, 23 May 2022 21:17:59 GMTx-ms-return-client-request-id:truex-ms-version:2018-11-09/********/anova-controller-reading-to-processcomp:metadata'.</AuthenticationErrorDetail></Error>Headers:Server: Microsoft-HTTPAPI/2.0x-ms-request-id: fcd53a08-7003-0020-12ea-6e113b000000x-ms-error-code: AuthenticationFailedDate: Mon, 23 May 2022 21:17:59 GMTContent-Length: 790Content-Type: application/xmlat async Azure.Storage.Queues.QueueRestClient.GetPropertiesAsync(Nullable`1 timeout,CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Azure.Storage.Queues.QueueClient.GetPropertiesInternal(Boolean async,CancellationToken cancellationToken,String operationName)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Azure.Storage.Queues.QueueClient.ExistsInternal(Boolean async,CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Azure.Storage.Queues.QueueClient.ExistsAsync(CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Microsoft.Azure.WebJobs.Extensions.Storage.Common.Listeners.QueueListener.ExecuteAsync(CancellationToken cancellationToken)at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at async Microsoft.Azure.WebJobs.Extensions.Storage.Common.Timers.TaskSeriesTimer.RunAsync(CancellationToken cancellationToken)x-ms-error-code:AuthenticationFailedDate:Mon, 23 May 2022 21:17:59 GMTContent-Length:790Content-Type:application/xml
I am confident that the issue is with configuration but like I said the docs are confusing.
Is having the AppSetting “AzureWebJobsStorage__accountName” sufficient or do you also need to have “AzureWebJobsStorage__blobServiceUri”, “AzureWebJobsStorage__queueServiceUri”, and “AzureWebJobsStorage__tableServiceUri”? I read the docs saying “If you are configuring “AzureWebJobsStorage” using a storage account that uses the default DNS suffix and service name for global Azure, following the https://<accountName>.blob/queue/file/table.core.windows.net format, you can instead set AzureWebJobsStorage__accountName to the name of your storage account. The endpoints for each storage service will be inferred for this account.” to mean that I should be able to just set “AzureWebJobsStorage__accountName”.
If I am using “AzureWebJobsStorage__accountName” do I still need to set “AzureWebJobsStorage” to support anything that can’t use Managed Identity? I tried to add it but the Function App would not even start so I figured you had to use one or the other.
The identity I have has all the following roles Storage Blob Data Contributor, Storage Queue Data Contributor, Storage Table Data Contributor.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 16 (5 by maintainers)
Thank you. I am anxious to get past this issue. I know there is time but I had hoped to get this resolved well before the December 3rd deadline to upgrade to Azure Functions 4 due to the retirement of .NET Core 3.1. Let me know how I can help.
Hi - apologies for missing the ping.
Are these errors you’re hitting in local debugging or in a hosted service? Do you see the same error across both?
You’re correct that it’s not advisable to mix
AzureWebJobsStorageandAzureWebJobsStorage__accountName. In these cases, theAzureWebJobsStoragekey would win. The app not starting was a bit surprising to me there - that wouldn’t be expected unless the connection string in that scenario was somehow invalid. If you have any specifics of that error, that might be interesting.Because this error set is a MAC exception, it looks like the server is attempting to process this as a shared key request. I’m basing that on the error showing up in tests in the Azure SDK for .NET (example). CC @jaschrep-msft in case there are other scenarios where this might occur.
So, it looks like identity isn’t even attempted. I assume the app does indeed have the identity assigned, and that it is able to request tokens directly. Is that correct? The roles you have assigned to the identity look like they should be fine for Durable, which it seems like you’re using. Could you confirm the version of the Durable extension that you are using? Support for MI from that was only added recently. And are there other scenarios here where you would be leveraging an identity-based connection?
I think to help with this, we might need to get a bit more information out of logs. If you could please share some details we can correlate with per https://github.com/Azure/azure-functions-host/wiki/Sharing-Your-Function-App-name-privately, we can take a look. Feel free to open a support ticket if you haven’t already as well, though I’m hoping we should be able to identify the cause here pretty quickly.
For your own logs, you can get more verbose information out of the underlying Azure SDKs by changing log levels (just be advised that these get noisy fast and should probably not be used in a production environment). This can sometimes be helpful for understanding configurations. I can’t remember which level specifically ends up being needed. I think Debug works, but I recall needing Trace for my own apps in the past.
Hi @ahawes-clarity We are discussing this issue internally, we will get back to you soon with the findings!