azure-sdk-for-net: [BUG] Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed.

Library name and version

Azure.Messaging.ServiceBus 7.11.1

Describe the bug

Using a System Assigned Managed Identity, I can create a ServiceBusClient, but when I’m trying to create a Queue, it is throwing an error:

//this works var credential = new DefaultAzureCredential(); var client = new ServiceBusClient(“xx.servicebus.windows.net”, credential);

//this throws an error: var credential = new DefaultAzureCredential(); var manager = new ServiceBusAdministrationClient(“xx.servicebus.windows.net”, credential);

PS: I’ve added the system assigned managed identity to “Azure Service Bus Data Owner”

Expected behavior

The system assigned managed identity should be able to create queues as “Azure Service Bus Data Owner” member

Actual behavior

It’s throwing a very large error:

Azure.Identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.EnvironmentCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.EnvironmentCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)

Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) Content: Headers: Date: Wed, 30 Nov 2022 19:51:23 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot —> Azure.RequestFailedException: Service request failed. Status: 400 (Bad Request) Content: Headers: Date: Wed, 30 Nov 2022 19:51:23 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AppTokenProviderImpl(AppTokenProviderParameters parameters) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.SendTokenRequestToProviderAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken) at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder1 builder, Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.SendHttpRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.GetEntityAsync(String entityPath, String query, Boolean enrich, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.ServiceBusAdministrationClient.QueueExistsAsync(String name, CancellationToken cancellationToken)

Reproduction Steps

1-Create an App Service 2-Add to it a system assigned Managed identity 3-add the system assigned managed identity to Service Bus Data Owner role:

az role assignment create --assignee $managedIdentity --scope $sbId --role “Azure Service Bus Data Owner”

4-Create a web application 5-add the following controller as a test

[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
    [HttpGet]
    public IActionResult Test()
    {
        try
        {
            var credential = new DefaultAzureCredential();
            var manager = new ServiceBusAdministrationClient("xx.servicebus.windows.net", credential);

            return Ok(manager.QueueExistsAsync("default"));
        }
        catch (Exception ex)
        {
            throw;
        }
        return Ok();
    }
}

6-deploy the application and call the url https://the-name-you-chose.azurewebsites.net/api/values

Environment

azure .net 6 c# azure service bus nuget 7.11.1

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 20 (3 by maintainers)

Most upvoted comments

We had a similar issue on our end as reported in the original issue, whereby when trying to submit a message on an ASB queue we got the Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) exception. This was only occurring when on Azure as locally (using our Microsoft account) it was working fine.

A resolution to this was via this post, specifically adding a new app configuration key named AZURE_CLIENT_ID containing the managed identity’s Client ID.

chrisportelli on Jan 18, 2023

I just had the same issue, we passed clientId to ManagedIdentityCredential and it failed. Just changed it to new DefaultAzureCredential() and the AZURE_CLIENT_ID env var and then it worked. The code also runs locally so DefaultAzureCredential is the more general solution for us anyway.

christiansparre on Feb 10, 2023

Hi, is there any update on this? I am also facing a similar issue and blocked. Can you please suggest how can we get rid of this error?

Same, Can anyone please help.

bornkiraupgrade on Jan 16, 2023