azure-sdk-for-js: [identity] breaking change in 3.4.0?

Package Name: azure/identiy
Package Version: 3.4.0

The application works fine with 3.3.2, if we upgrade to 3.4.0 we get the following error: if we revert to 3.3.2, it works fine. if we upgrade to 4.0.0, it works fine too. something is broken in your 3.4.0

Error indexing files: Index creating "kbindex": Unknown server error: ChainedTokenCredential authentication failed.
CredentialUnavailableError: EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit
https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.
CredentialUnavailableError: WorkloadIdentityCredential: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters. 
      In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - 
      "AZURE_TENANT_ID",
      "AZURE_CLIENT_ID",
      "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information:
https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot
  
CredentialUnavailableError: ManagedIdentityCredential: Authentication failed. Message missing_tenant_id_error: A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow.
CredentialUnavailableError: Azure CLI could not be found. Please visit
https://aka.ms/azure-cli
for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.
CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit
https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.
CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at
https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.

About this issue

Original URL
State: closed
Created 8 months ago
Reactions: 6
Comments: 16 (10 by maintainers)

Most upvoted comments

I confirm the issue: with @azure/identity package 3.4.0, it is not possible to get credentials from a system identity on Azure. To reproduce it, i created an azure function and an app configuration. I assigned a system identity to the azure function, and gave it rights to read app configuration keys. I deployed the following code to my azure function:

  const { app } = require('@azure/functions');
  const { DefaultAzureCredential } = require('@azure/identity')
  const { AppConfigurationClient } = require('@azure/app-configuration')
  
  app.http('helloworld', {
      methods: ['GET'],
      authLevel: 'anonymous',
      handler: async (request, context) => {
          try {
              const appConfigClient = new AppConfigurationClient(
                  `https://${process.env.APPCONFIG_NAME}.azconfig.io`,
                  new DefaultAzureCredential()
              )
              const result = await appConfigClient.getConfigurationSetting({
                  key: 'MyKey'
              })
              context.log(`Http function processed request for url "${request.url}"`)
              const luxUrl = result.value
              context.log(`LUX URL is '${luxUrl}'`);
              return { body: `Hello World ! - LUX URL is '${luxUrl}'` }
          } catch (error) {
              context.log(error)
              return { body: JSON.stringify(error)}
          }
      }
  })

I tested with the following version of @azure/identity:

3.3.2: Works fine
3.4.0: Fails with the error reported by @lgmorand
4.0.0: Works fine

patrickdassier on Nov 9, 2023

I confirm that release 3.4.1 solve the issue. Thanks

patrickdassier on Nov 14, 2023

I hit this yesterday, production broke between releases that were 20 minutes apart. How are there no tests for this most basic usage? Ridiculous.

hmih on Nov 9, 2023

Also, i am assuming that you were running DefaultAzureCredential. Can you provide more details on which credential in particular was expected to run and didn’t run in this version? So that I can dive deeper into this. I know that we didn;t change anything on our side in terms of the API but we just upgraded msal versions to support both node 16 and node 20. Your feedback will really help me investigate in what actually broke.

KarishmaGhiya on Nov 8, 2023