azure-sdk-for-net: [BUG] Bump from Azure.Identity 1.5.0 to 1.6.0 throws for ManagedIdentityCredential

Library name and version

Azure.Identity 1.6.0

Describe the bug

After upgrading from Azure.Identity 1.5.0 to Azure.Identity 1.6.0 our applications kept working except for the applications creating the ManagedIdentityCredential throwing the next error from MSI/token/?api-version=2019-08-01&resource=REDACTED&client_id=REDACTED:

ManagedIdentityCredential authentication failed: No Managed Identity found for specified ClientId/ResourceId/PrincipalId.
Status: 400 (Bad Request)

Headers:
Date: Thu, 07 Apr 2022 09:44:52 GMT
Content-Length: 158

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

The release note states: ManagedIdentityCredential now attempts to use the newest "2019-08-01" api version for App Service Managed Identity sources. The newer API version will be used if the IDENTITY_ENDPOINT and IDENTITY_HEADER environment variables are set. but our services don’t have the IDENTITY_ENDPOINT and IDENTITY_HEADER environment variables set, at least not where we know about (https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and the “2019-08-01” version is still being used.

Expected behavior

Doesn’t throw when doing the request to MSI/token/?api-version=2019-08-01&resource=REDACTED&client_id=REDACTED for a ManagedIdentityCredential

Actual behavior

Throws when doing the request to MSI/token/?api-version=2019-08-01&resource=REDACTED&client_id=REDACTED for a ManagedIdentityCredential

Reproduction Steps

Bump from Azure.Identity 1.5.0 to Azure.Identity 1.6.0 and ask a ManagedIdentityCredential from MSI/token/?api-version=2019-08-01&resource=REDACTED&client_id=REDACTED

Environment

in an Azure function, if that would matter

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 1
Comments: 26 (7 by maintainers)

Most upvoted comments

Not sure what the actual problem was, but when we switched from using the ManagedIdenityCredentials to DefaultAzureCredentials it fixed the issue.

ruben12321 on Apr 27, 2022

After additional troubleshooting we have determined that our AKS cluster is impacted by this current outage/issue:

I’m going to wait until the Azure issue is resolved and will respond back here early next week if we are still having an issue or not.

billpieper on Apr 8, 2022

Hi @christothes,

We first created the function app, enabled its managed identity, and store the clientId of that Managed Identity in the environment variables as ServiceIdentity:ManagedIdentityClientId. Then when running the function, we store the clientId in an options object and then use it as followed:

public class TokenManagedIdentityCredentialProvider : ITokenCredentialProvider
{
    private readonly IServiceIdentityOptions _options;

    public TokenManagedIdentityCredentialProvider(IServiceIdentityOptions options)
    {
        _options = options;
    }

    public TokenCredential Get()
    {
        return new ManagedIdentityCredential(_options.ManagedIdentityClientId);
    }
}

And then use these credentials as followed:

public class GraphClientProvider : IGraphClientProvider
{
    private readonly ITokenCredentialProvider _credentialProvider;

    public GraphClientProvider(ITokenCredentialProvider credentialProvider)
    {
        _credentialProvider = credentialProvider;
    }

    public GraphServiceClient GetGraphClient()
    {
        var credentials = _credentialProvider.Get();

        var graphClient = new GraphServiceClient(credentials);
        return graphClient;
    }
}

This works fine with V1.5.0 but when bumping to v1.6.0, we get the error mentioned above… We are also not setting any environment variables like that.

ruben12321 on Apr 8, 2022

Thank you for your feedback. Tagging and routing to the team members best able to assist.

jsquire on Apr 7, 2022