azure-sdk-for-js: DefaultAzureCredential not falling through to AzureCLI after Managed Identity 404

  • Package Name: @azure/identity
  • Package Version:
  • Operating system:
  • nodejs
    • version: v18.18.1
  • browser
    • name/version:
  • typescript
    • version:
  • Is the bug related to documentation in

Describe the bug

I am using DefaultAzureCredential in a node js tool running in an AzureCLI@2 task in an azure devops time. The credential chain is getting a 404 on the IMDS endpoint and is failing there, rather than falling through to get credentials from the Azure CLI. The task is running on a custom agent, which is running in a job inside an Azure Kubernetes Services container. The container has not been set up with pod identity or workload identity so I am not expecting it to use managed identity - I am expecting it to fall through and use AzureCliCredential.

      - task: AzureCLI@2
        displayName: πŸ“€ Publish techdocs
        inputs:
          azureSubscription: $(ServiceConnection)
          scriptType: bash 
          scriptLocation: inlineScript
          inlineScript: >-
            node_modules/.bin/techdocs-cli publish
            --publisher-type azureBlobStorage
            --azureAccountName $(StorageAccount)
            --storage-name techdocs
            --entity $(EntityRef)
        env:
          AZURE_LOG_LEVEL: verbose

To Reproduce Steps to reproduce the behavior:

  1. `npm install -g techdocs-cli1
  2. Have an ADO pipeline which runs on a job that runs on an AKS container
      - task: AzureCLI@2
        displayName: πŸ“€ Publish techdocs
        inputs:
          azureSubscription: $(ServiceConnection) #Federated 
          scriptType: bash 
          scriptLocation: inlineScript
          inlineScript: >-
            node_modules/.bin/techdocs-cli publish
            --publisher-type azureBlobStorage
            --azureAccountName $(StorageAccountName)
            --storage-name $(ContainerName)
            --entity default/component/example
        env:
          AZURE_LOG_LEVEL: verbose

Expected behavior Neither pod nor workload identity is set up for these containers, so I expected DefaultAzureCredential chain to fall through to further credential types. (Specifically Azure Cli credentials)

Screenshots

2023-10-31T13:16:16.2566052Z ##[section]Starting: πŸ“€ Publish techdocs
2023-10-31T13:16:16.2573950Z ==============================================================================
2023-10-31T13:16:16.2574124Z Task         : Azure CLI
2023-10-31T13:16:16.2574201Z Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
2023-10-31T13:16:16.2574461Z Version      : 2.229.0
2023-10-31T13:16:16.2574535Z Author       : Microsoft Corporation
2023-10-31T13:16:16.2574634Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
2023-10-31T13:16:16.2574760Z ==============================================================================
2023-10-31T13:16:16.6278010Z [command]/usr/bin/az --version
2023-10-31T13:16:17.4780504Z WARNING: You have 2 update(s) available. Consider updating your CLI installation with 'az upgrade'
2023-10-31T13:16:17.4780764Z azure-cli                         2.53.0 *
2023-10-31T13:16:17.4781150Z 
2023-10-31T13:16:17.4781319Z core                              2.53.0 *
2023-10-31T13:16:17.4781481Z telemetry                          1.1.0
2023-10-31T13:16:17.4781588Z 
2023-10-31T13:16:17.4781717Z Extensions:
2023-10-31T13:16:17.4781915Z azure-devops                      0.26.0
2023-10-31T13:16:17.4782017Z 
2023-10-31T13:16:17.4782157Z Dependencies:
2023-10-31T13:16:17.4782310Z msal                            1.24.0b2
2023-10-31T13:16:17.4782504Z azure-mgmt-resource             23.1.0b2
2023-10-31T13:16:17.4782611Z 
2023-10-31T13:16:17.4782792Z Python location '/opt/az/bin/python3'
2023-10-31T13:16:17.4783011Z Extensions directory '/REDACTED/.azure/cliextensions'
2023-10-31T13:16:17.4783278Z Extensions system directory '/opt/az/lib/python3.10/site-packages/azure-cli-extensions'
2023-10-31T13:16:17.4783413Z 
2023-10-31T13:16:17.4783601Z Python (Linux) 3.10.10 (main, Sep 20 2023, 06:07:38) [GCC 11.4.0]
2023-10-31T13:16:17.4783736Z 
2023-10-31T13:16:17.4783895Z Legal docs and information: aka.ms/AzureCliLegal
2023-10-31T13:16:17.4784010Z 
2023-10-31T13:16:17.4784099Z 
2023-10-31T13:16:17.4807081Z Setting AZURE_CONFIG_DIR env variable to: /REDACTED/_work/_temp/.azclitask
2023-10-31T13:16:17.4812436Z Setting active cloud to: AzureCloud
2023-10-31T13:16:17.4820306Z [command]/usr/bin/az cloud set -n AzureCloud
2023-10-31T13:16:20.1207320Z [command]/usr/bin/az login --service-principal -u *** --tenant REDACTED --allow-no-subscriptions --federated-token ***
2023-10-31T13:16:21.5451340Z [
2023-10-31T13:16:21.5451650Z   {
2023-10-31T13:16:21.5451866Z     "cloudName": "AzureCloud",
2023-10-31T13:16:21.5452351Z     "homeTenantId": "REDACTED",
2023-10-31T13:16:21.5454073Z     "id": "REDACTED",
2023-10-31T13:16:21.5454602Z     "isDefault": true,
2023-10-31T13:16:21.5455106Z     "managedByTenants": [],
2023-10-31T13:16:21.5455556Z     "name": "REDACTED",
2023-10-31T13:16:21.5455721Z     "state": "Enabled",
2023-10-31T13:16:21.5455998Z     "tenantId": "REDACTED",
2023-10-31T13:16:21.5459408Z     "user": {
2023-10-31T13:16:21.5460164Z       "name": "***",
2023-10-31T13:16:21.5460575Z       "type": "servicePrincipal"
2023-10-31T13:16:21.5460918Z     }
2023-10-31T13:16:21.5461292Z   }
2023-10-31T13:16:21.5461614Z ]
2023-10-31T13:16:21.5465599Z [command]/usr/bin/az account set --subscription REDACTED
2023-10-31T13:16:23.6042720Z [command]/usr/bin/bash /REDACTED/_work/_temp/azureclitaskscript1698758176621.sh
2023-10-31T13:16:23.6043131Z info: Creating Azure Blob Storage Container publisher for TechDocs
2023-10-31T13:16:23.6050729Z azure:identity:info EnvironmentCredential => Found the following environment variables: 
2023-10-31T13:16:23.6053041Z azure:identity:info WorkloadIdentityCredential => Found the following environment variables: 
2023-10-31T13:16:23.6058455Z azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
2023-10-31T13:16:23.6069201Z azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
2023-10-31T13:16:23.6092462Z azure:core-http:info ServiceClient: using custom request policies
2023-10-31T13:16:23.6099399Z azure:core-http:info ServiceClient: using custom request policies
2023-10-31T13:16:23.6137527Z azure:storage-blob:info RetryPolicy: =====> Try=1 Primary
2023-10-31T13:16:23.6143730Z azure:storage-blob:info Request: {
2023-10-31T13:16:23.6143985Z   "streamResponseStatusCodes": {},
2023-10-31T13:16:23.6144247Z   "url": "https://REDACTED.blob.core.windows.net/REDACTED?restype=container",
2023-10-31T13:16:23.6148070Z   "method": "GET",
2023-10-31T13:16:23.6148446Z   "headers": {
2023-10-31T13:16:23.6148611Z     "_headersMap": {
2023-10-31T13:16:23.6148917Z       "x-ms-version": "2023-08-03",
2023-10-31T13:16:23.6151299Z       "accept": "application/xml",
2023-10-31T13:16:23.6151918Z       "user-agent": "azsdk-js-storageblob/12.16.0 (NODE-VERSION v18.18.1; Linux 5.15.116.1-1.cm2)",
2023-10-31T13:16:23.6152344Z       "x-ms-client-request-id": "f8f87148-ef53-408e-8d75-64d435388a41"
2023-10-31T13:16:23.6152549Z     }
2023-10-31T13:16:23.6154537Z   },
2023-10-31T13:16:23.6154850Z   "withCredentials": false,
2023-10-31T13:16:23.6155035Z   "timeout": 0,
2023-10-31T13:16:23.6155203Z   "keepAlive": true,
2023-10-31T13:16:23.6157847Z   "requestId": "f8f87148-ef53-408e-8d75-64d435388a41"
2023-10-31T13:16:23.6158393Z }
2023-10-31T13:16:23.6161520Z azure:identity:info WorkloadIdentityCredential => WorkloadIdentityCredential: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters. 
2023-10-31T13:16:23.6161980Z       In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - 
2023-10-31T13:16:23.6162198Z       "AZURE_TENANT_ID",
2023-10-31T13:16:23.6162290Z       "AZURE_CLIENT_ID",
2023-10-31T13:16:23.6162457Z       "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot  
2023-10-31T13:16:23.6167776Z azure:identity:info ManagedIdentityCredential - Azure Arc MSI => ManagedIdentityCredential - Azure Arc MSI: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT
2023-10-31T13:16:23.6168803Z azure:identity:info ManagedIdentityCredential - Fabric MSI => ManagedIdentityCredential - Fabric MSI: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT
2023-10-31T13:16:23.6171465Z azure:identity:info ManagedIdentityCredential - AppServiceMSI 2019 => ManagedIdentityCredential - AppServiceMSI 2019: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.
2023-10-31T13:16:23.6172384Z azure:identity:info ManagedIdentityCredential - AppServiceMSI 2017 => ManagedIdentityCredential - AppServiceMSI 2017: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.
2023-10-31T13:16:23.6173234Z azure:identity:info ManagedIdentityCredential - CloudShellMSI => ManagedIdentityCredential - CloudShellMSI: Unavailable. The environment variable MSI_ENDPOINT is needed.
2023-10-31T13:16:23.6173785Z azure:identity:info ManagedIdentityCredential - Token Exchange => ManagedIdentityCredential - Token Exchange: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE
2023-10-31T13:16:23.6181003Z azure:identity:info ManagedIdentityCredential - IMDS => ManagedIdentityCredential - IMDS: Pinging the Azure IMDS endpoint
2023-10-31T13:16:23.6189061Z azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request c37bd794-21db-411d-92bf-eda588c3f7c3
2023-10-31T13:16:23.6194208Z azure:core-rest-pipeline:info Request: {
2023-10-31T13:16:23.6194460Z   "url": "http://169.254.169.254/metadata/identity/oauth2/token",
2023-10-31T13:16:23.6194673Z   "headers": {
2023-10-31T13:16:23.6195002Z     "accept": "application/json",
2023-10-31T13:16:23.6195251Z     "accept-encoding": "gzip,deflate",
2023-10-31T13:16:23.6195660Z     "user-agent": "azsdk-js-identity/3.3.2 core-rest-pipeline/1.12.2 Node/v18.18.1 OS/(x64-Linux-5.15.116.1-1.cm2)",
2023-10-31T13:16:23.6196044Z     "x-ms-client-request-id": "c37bd794-21db-411d-92bf-eda588c3f7c3"
2023-10-31T13:16:23.6198352Z   },
2023-10-31T13:16:23.6198852Z   "method": "GET",
2023-10-31T13:16:23.6199018Z   "timeout": 1000,
2023-10-31T13:16:23.6199204Z   "disableKeepAlive": false,
2023-10-31T13:16:23.6203220Z   "withCredentials": false,
2023-10-31T13:16:23.6203748Z   "tracingOptions": {
2023-10-31T13:16:23.6207814Z     "tracingContext": {
2023-10-31T13:16:23.6208252Z       "_contextMap": {}
2023-10-31T13:16:23.6211914Z     }
2023-10-31T13:16:23.6212304Z   },
2023-10-31T13:16:23.6216450Z   "requestId": "c37bd794-21db-411d-92bf-eda588c3f7c3",
2023-10-31T13:16:23.6216998Z   "allowInsecureConnection": true,
2023-10-31T13:16:23.6220749Z   "enableBrowserStreams": false
2023-10-31T13:16:23.6221193Z }
2023-10-31T13:16:23.6307595Z azure:core-rest-pipeline:info Response status code: 400
2023-10-31T13:16:23.6310252Z azure:core-rest-pipeline:info Headers: {
2023-10-31T13:16:23.6310628Z   "content-type": "application/json; charset=utf-8",
2023-10-31T13:16:23.6310837Z   "date": "Tue, 31 Oct 2023 13:16:23 GMT",
2023-10-31T13:16:23.6311089Z   "content-length": "89"
2023-10-31T13:16:23.6311229Z }
2023-10-31T13:16:23.6311646Z azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request c37bd794-21db-411d-92bf-eda588c3f7c3
2023-10-31T13:16:23.6312222Z azure:core-rest-pipeline retryPolicy:info Retry 0: Maximum retries reached. Returning the last received response, or throwing the last received error.
2023-10-31T13:16:23.6313692Z azure:identity:info ManagedIdentityCredential - IMDS => ManagedIdentityCredential - IMDS: The Azure IMDS endpoint is available
2023-10-31T13:16:23.6367702Z azure:identity:info ManagedIdentityCredential => SetAppTokenProvider invoked with parameters- {"correlationId":"noCorrelationId","tenantId":"common","scopes":["https://storage.azure.com/.default"]}
2023-10-31T13:16:23.6368623Z azure:identity:info ManagedIdentityCredential => authenticateManagedIdentity invoked with scopes- ["https://storage.azure.com/.default"] and getTokenOptions - {"correlationId":"noCorrelationId","tenantId":"common","scopes":["https://storage.azure.com/.default"]}
2023-10-31T13:16:23.6370007Z azure:identity:info ManagedIdentityCredential - IMDS => ManagedIdentityCredential - IMDS: Using the default Azure IMDS endpoint http://169.254.169.254.
2023-10-31T13:16:23.6375600Z azure:identity:info IdentityClient: sending token request to [http://169.254.169.254/metadata/identity/oauth2/token?resource=https%3A%2F%2Fstorage.azure.com&api-version=2018-02-01]
2023-10-31T13:16:23.6377897Z azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request ec76202e-7066-448b-b0cf-28fb783cb355
2023-10-31T13:16:23.6383855Z azure:core-rest-pipeline:info Request: {
2023-10-31T13:16:23.6384334Z   "url": "http://169.254.169.254/metadata/identity/oauth2/token?resource=REDACTED&api-version=2018-02-01",
2023-10-31T13:16:23.6384564Z   "headers": {
2023-10-31T13:16:23.6384712Z     "accept": "application/json",
2023-10-31T13:16:23.6384887Z     "metadata": "REDACTED",
2023-10-31T13:16:23.6385118Z     "accept-encoding": "gzip,deflate",
2023-10-31T13:16:23.6385538Z     "user-agent": "azsdk-js-identity/3.3.2 core-rest-pipeline/1.12.2 Node/v18.18.1 OS/(x64-Linux-5.15.116.1-1.cm2)",
2023-10-31T13:16:23.6385922Z     "x-ms-client-request-id": "ec76202e-7066-448b-b0cf-28fb783cb355"
2023-10-31T13:16:23.6386227Z   },
2023-10-31T13:16:23.6386367Z   "method": "GET",
2023-10-31T13:16:23.6386506Z   "timeout": 0,
2023-10-31T13:16:23.6386662Z   "disableKeepAlive": false,
2023-10-31T13:16:23.6386831Z   "withCredentials": false,
2023-10-31T13:16:23.6387010Z   "requestId": "ec76202e-7066-448b-b0cf-28fb783cb355",
2023-10-31T13:16:23.6387122Z   "allowInsecureConnection": true,
2023-10-31T13:16:23.6387378Z   "enableBrowserStreams": false
2023-10-31T13:16:23.6387460Z }
2023-10-31T13:16:23.6395231Z azure:core-rest-pipeline:info Response status code: 404
2023-10-31T13:16:23.6396632Z azure:core-rest-pipeline:info Headers: {
2023-10-31T13:16:23.6397001Z   "content-type": "text/plain; charset=utf-8",
2023-10-31T13:16:23.6397289Z   "x-content-type-options": "nosniff",
2023-10-31T13:16:23.6397546Z   "date": "Tue, 31 Oct 2023 13:16:23 GMT",
2023-10-31T13:16:23.6397823Z   "content-length": "46"
2023-10-31T13:16:23.6397991Z }
2023-10-31T13:16:23.6398410Z azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request ec76202e-7066-448b-b0cf-28fb783cb355
2023-10-31T13:16:23.6399108Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
2023-10-31T13:16:23.6399666Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
2023-10-31T13:16:23.6400845Z azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
2023-10-31T13:16:23.6401331Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
2023-10-31T13:16:23.6401761Z azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
2023-10-31T13:16:23.6402289Z azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
2023-10-31T13:16:23.6404881Z azure:identity:warning IdentityClient: authentication error. HTTP status: 404, An unknown error has occurred. Response body:
2023-10-31T13:16:23.6405347Z 
2023-10-31T13:16:23.6406054Z no azure identity found for request clientID 
2023-10-31T13:16:23.6406154Z 
2023-10-31T13:16:24.4422928Z azure:identity:info IdentityClient: sending token request to [http://169.254.169.254/metadata/identity/oauth2/token?resource=https%3A%2F%2Fstorage.azure.com&api-version=2018-02-01]
2023-10-31T13:16:24.4423688Z azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request dfcc3272-beba-4b36-9e6f-c5ef60d2cb73
2023-10-31T13:16:24.4424103Z azure:core-rest-pipeline:info Request: {
2023-10-31T13:16:24.4424562Z   "url": "http://169.254.169.254/metadata/identity/oauth2/token?resource=REDACTED&api-version=2018-02-01",
2023-10-31T13:16:24.4424804Z   "headers": {
2023-10-31T13:16:24.4424974Z     "accept": "application/json",
2023-10-31T13:16:24.4425145Z     "metadata": "REDACTED",
2023-10-31T13:16:24.4425872Z     "accept-encoding": "gzip,deflate",
2023-10-31T13:16:24.4426289Z     "user-agent": "azsdk-js-identity/3.3.2 core-rest-pipeline/1.12.2 Node/v18.18.1 OS/(x64-Linux-5.15.116.1-1.cm2)",
2023-10-31T13:16:24.4426719Z     "x-ms-client-request-id": "dfcc3272-beba-4b36-9e6f-c5ef60d2cb73"
2023-10-31T13:16:24.4426907Z   },
2023-10-31T13:16:24.4427052Z   "method": "GET",
2023-10-31T13:16:24.4427196Z   "timeout": 0,
2023-10-31T13:16:24.4427289Z   "disableKeepAlive": false,
2023-10-31T13:16:24.4427394Z   "withCredentials": false,
2023-10-31T13:16:24.4427567Z   "requestId": "dfcc3272-beba-4b36-9e6f-c5ef60d2cb73",
2023-10-31T13:16:24.4427693Z   "allowInsecureConnection": true,
2023-10-31T13:16:24.4427806Z   "enableBrowserStreams": false
2023-10-31T13:16:24.4427899Z }
2023-10-31T13:16:24.4434840Z azure:core-rest-pipeline:info Response status code: 404
2023-10-31T13:16:24.4435253Z azure:core-rest-pipeline:info Headers: {
2023-10-31T13:16:24.4435604Z   "content-type": "text/plain; charset=utf-8",
2023-10-31T13:16:24.4435884Z   "x-content-type-options": "nosniff",
2023-10-31T13:16:24.4436019Z   "date": "Tue, 31 Oct 2023 13:16:24 GMT",
2023-10-31T13:16:24.4436163Z   "content-length": "46"
2023-10-31T13:16:24.4436254Z }
2023-10-31T13:16:24.4436499Z azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request dfcc3272-beba-4b36-9e6f-c5ef60d2cb73
2023-10-31T13:16:24.4436785Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
2023-10-31T13:16:24.4437064Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
2023-10-31T13:16:24.4437302Z azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
2023-10-31T13:16:24.4437784Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
2023-10-31T13:16:24.4438018Z azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
2023-10-31T13:16:24.4438305Z azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
2023-10-31T13:16:24.4438535Z azure:identity:warning IdentityClient: authentication error. HTTP status: 404, An unknown error has occurred. Response body:
2023-10-31T13:16:24.4438652Z 
2023-10-31T13:16:24.4438748Z no azure identity found for request clientID 
2023-10-31T13:16:24.4438806Z 
2023-10-31T13:16:26.0474022Z azure:identity:info IdentityClient: sending token request to [http://169.254.169.254/metadata/identity/oauth2/token?resource=https%3A%2F%2Fstorage.azure.com&api-version=2018-02-01]
2023-10-31T13:16:26.0474773Z azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 0fd7500d-892d-4f23-a964-491d82adb2e7
2023-10-31T13:16:26.0475223Z azure:core-rest-pipeline:info Request: {
2023-10-31T13:16:26.0475684Z   "url": "http://169.254.169.254/metadata/identity/oauth2/token?resource=REDACTED&api-version=2018-02-01",
2023-10-31T13:16:26.0475951Z   "headers": {
2023-10-31T13:16:26.0476109Z     "accept": "application/json",
2023-10-31T13:16:26.0476280Z     "metadata": "REDACTED",
2023-10-31T13:16:26.0476537Z     "accept-encoding": "gzip,deflate",
2023-10-31T13:16:26.0476950Z     "user-agent": "azsdk-js-identity/3.3.2 core-rest-pipeline/1.12.2 Node/v18.18.1 OS/(x64-Linux-5.15.116.1-1.cm2)",
2023-10-31T13:16:26.0477353Z     "x-ms-client-request-id": "0fd7500d-892d-4f23-a964-491d82adb2e7"
2023-10-31T13:16:26.0477531Z   },
2023-10-31T13:16:26.0477661Z   "method": "GET",
2023-10-31T13:16:26.0477806Z   "timeout": 0,
2023-10-31T13:16:26.0477965Z   "disableKeepAlive": false,
2023-10-31T13:16:26.0478125Z   "withCredentials": false,
2023-10-31T13:16:26.0478426Z   "requestId": "0fd7500d-892d-4f23-a964-491d82adb2e7",
2023-10-31T13:16:26.0478630Z   "allowInsecureConnection": true,
2023-10-31T13:16:26.0478815Z   "enableBrowserStreams": false
2023-10-31T13:16:26.0478956Z }
2023-10-31T13:16:26.0479219Z azure:core-rest-pipeline:info Response status code: 404
2023-10-31T13:16:26.0479515Z azure:core-rest-pipeline:info Headers: {
2023-10-31T13:16:26.0479802Z   "content-type": "text/plain; charset=utf-8",
2023-10-31T13:16:26.0480390Z   "x-content-type-options": "nosniff",
2023-10-31T13:16:26.0480585Z   "date": "Tue, 31 Oct 2023 13:16:26 GMT",
2023-10-31T13:16:26.0480824Z   "content-length": "46"
2023-10-31T13:16:26.0480957Z }
2023-10-31T13:16:26.0481366Z azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 0fd7500d-892d-4f23-a964-491d82adb2e7
2023-10-31T13:16:26.0481806Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
2023-10-31T13:16:26.0482237Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
2023-10-31T13:16:26.0482628Z azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
2023-10-31T13:16:26.0483031Z azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
2023-10-31T13:16:26.0483417Z azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
2023-10-31T13:16:26.0483848Z azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
2023-10-31T13:16:26.0484224Z azure:identity:warning IdentityClient: authentication error. HTTP status: 404, An unknown error has occurred. Response body:
2023-10-31T13:16:26.0484384Z 
2023-10-31T13:16:26.0484546Z no azure identity found for request clientID 
2023-10-31T13:16:26.0484637Z 
2023-10-31T13:16:29.2497240Z azure:identity:info ChainedTokenCredential => getToken() => ERROR. Scopes: https://storage.azure.com/.default. Error message: ManagedIdentityCredential authentication failed. Status code: 404
2023-10-31T13:16:29.2497512Z More details:
2023-10-31T13:16:29.2497905Z unknown_error Status code: 404
2023-10-31T13:16:29.2498008Z More details:
2023-10-31T13:16:29.2498108Z An unknown error has occurred. Response body:
2023-10-31T13:16:29.2498201Z 
2023-10-31T13:16:29.2498747Z ManagedIdentityCredential - IMDS: Failed to retrieve IMDS token after 3 retries..
2023-10-31T13:16:29.2499281Z azure:storage-blob:error RetryPolicy: Caught error, message: ManagedIdentityCredential authentication failed. Status code: 404
2023-10-31T13:16:29.2499604Z More details:
2023-10-31T13:16:29.2499796Z unknown_error Status code: 404
2023-10-31T13:16:29.2499962Z More details:
2023-10-31T13:16:29.2500154Z An unknown error has occurred. Response body:
2023-10-31T13:16:29.2500215Z 
2023-10-31T13:16:29.2500436Z ManagedIdentityCredential - IMDS: Failed to retrieve IMDS token after 3 retries., code: undefined
2023-10-31T13:16:29.2500831Z error: from Azure Blob Storage client library: ManagedIdentityCredential authentication failed. Status code: 404
2023-10-31T13:16:29.2501125Z More details:
2023-10-31T13:16:29.2505905Z unknown_error Status code: 404
2023-10-31T13:16:29.2506141Z More details:
2023-10-31T13:16:29.2506321Z An unknown error has occurred. Response body:
2023-10-31T13:16:29.2506426Z 
2023-10-31T13:16:29.2506694Z ManagedIdentityCredential - IMDS: Failed to retrieve IMDS token after 3 retries.
2023-10-31T13:16:29.2507257Z error: Could not retrieve metadata about the Azure Blob Storage container techdocs. Make sure that the Azure project and container exist and the access key is setup correctly techdocs.publisher.azureBlobStorage.credentials defined in app config has correct permissions. Refer to https://backstage.io/docs/features/techdocs/using-cloud-storage
2023-10-31T13:16:29.2507491Z 
2023-10-31T13:16:29.2681514Z ##[error]Script failed with exit code: 1
2023-10-31T13:16:29.2690608Z [command]/usr/bin/az account clear
2023-10-31T13:16:29.8007123Z ##[section]Finishing: πŸ“€ Publish techdocs

Additional context

Specifically I’m using backstage techdocs CLI to publish documentation to a storage account. You can see where it For reference, https://github.com/backstage/backstage/blob/1879025a172629057abfe55a119a35b09c671a10/plugins/techdocs-node/src/stages/publish/azureBlobStorage.ts#L120 is where the credentials are set up in the techdocs cli.

About this issue

  • Original URL
  • State: open
  • Created 8 months ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

Unfortunately the credential type is configured by a 3rd party tool which I can’t easily change - I may be able to open a PR but it may or may not be accepted.

Given that I know the service connections in question are federated credentials, I was able to work around this by manually setting the environment variables for WorkloadIdentityCredential

- task: AzureCLI@2
  displayName: πŸ“€ Publish techdocs
  inputs:
    azureSubscription: $(ServiceConnection)
    scriptType: pscore 
    scriptLocation: inlineScript
    addSpnToEnvironment: true
    inlineScript: |-
      $env:AZURE_TENANT_ID = $env:tenantId
      $env:AZURE_CLIENT_ID = $env:servicePrincipalId

      $federatedTokenFile = New-TemporaryFile
      $env:AZURE_FEDERATED_TOKEN_FILE = $federatedTokenFile.FullName
      try
      {
        $env:federatedToken | Out-File $federatedTokenFile

        node_modules/.bin/techdocs-cli publish `
          --publisher-type azureBlobStorage `
          --azureAccountName $(StorageAccount) `
          --storage-name $(StorageContainer)`
          --entity $(EntityRef)
      }
      finally {
        $federatedTokenFile | Remove-Item -Force
      }
+1
afscrome on Nov 2, 2023
Read more comments on GitHub
← azure-sdk-for-js: DefaultAzureCredential fails on Azure App Service when using User-Assigned Identity
azure-sdk-for-js: DisableResponseDecompressionPolicy error with electron app using azure sdk from angular renderer →