User Managed Identity unable to get tokens - Unable to load the proper Managed Identity

[benc-uk]

Please provide us with the following information:

This issue is a: (mark with an x)

• bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

Assigning a User Managed Identity doesn't work, and the container can not get tokens from the IMDS endpoint when using the SDKs
NOTE. Switching to System Managed Identity the problem immediately goes away

Steps to reproduce

1. Create container app
2. Assign user managed identity
3. Attempt to get a token using the Azure SDKs and DefaultAzureCredential

Expected behavior [What you expected to happen.]

• Tokens are returned

Actual behavior [What actually happened.]

Error output from the Azure SDK for Go

2022-10-08T15:33:53.307692258Z =====> Try=1 GET http://localhost:42356/msi/token?api-version=2019-08-01&resource=https%3A%2F%2Fstorage.azure.com
2022-10-08T15:33:53.307698750Z [Oct  8 15:33:53.307585] Request: ==> OUTGOING REQUEST (Try=1)
2022-10-08T15:33:53.307703770Z    GET http://localhost:42356/msi/token?api-version=2019-08-01&resource=REDACTED
2022-10-08T15:33:53.307708058Z    User-Agent: azsdk-go-azidentity/v1.1.0 (go1.18.7; linux)
2022-10-08T15:33:53.307712436Z    X-Identity-Header: REDACTED
2022-10-08T15:33:53.307716444Z 
2022-10-08T15:33:54.687832767Z [Oct  8 15:33:54.687728] Response: ==> REQUEST/RESPONSE (Try=1/1.380095619s, OpTime=1.380112721s) -- RESPONSE RECEIVED
2022-10-08T15:33:54.687862903Z    GET http://localhost:42356/msi/token?api-version=2019-08-01&resource=REDACTED
2022-10-08T15:33:54.687870788Z    User-Agent: azsdk-go-azidentity/v1.1.0 (go1.18.7; linux)
2022-10-08T15:33:54.687876659Z    X-Identity-Header: REDACTED
2022-10-08T15:33:54.687881618Z    --------------------------------------------------------------------------------
2022-10-08T15:33:54.687886597Z    RESPONSE Status: 400 Bad Request
2022-10-08T15:33:54.687891987Z    Content-Type: application/json; charset=utf-8
2022-10-08T15:33:54.687896265Z    Date: Sat, 08 Oct 2022 15:33:54 GMT
2022-10-08T15:33:54.687899191Z    Server: Kestrel
2022-10-08T15:33:54.687901846Z    X-Correlation-Id: REDACTED
2022-10-08T15:33:54.687904310Z 
2022-10-08T15:33:54.687906995Z [Oct  8 15:33:54.687754] Retry: response 400
2022-10-08T15:33:54.688526711Z [Oct  8 15:33:54.687804] Retry: error DefaultAzureCredential authentication failed
2022-10-08T15:33:54.688542120Z GET http://localhost:42356/msi/token
2022-10-08T15:33:54.688548011Z --------------------------------------------------------------------------------
2022-10-08T15:33:54.688552580Z RESPONSE 400 Bad Request
2022-10-08T15:33:54.688557018Z --------------------------------------------------------------------------------
2022-10-08T15:33:54.688562288Z {
2022-10-08T15:33:54.688567508Z   "statusCode": 400,
2022-10-08T15:33:54.688572527Z   "message": "Unable to load the proper Managed Identity.",
2022-10-08T15:33:54.688588918Z   "correlationId": "cbd25d94-dea8-4ebf-b3f4-b83d715c6e75"
2022-10-08T15:33:54.688594128Z }
2022-10-08T15:33:54.688599468Z --------------------------------------------------------------------------------
2022-10-08T15:33:54.688604317Z 
2022-10-08T15:33:54.688610027Z [Oct  8 15:33:54.687822] Retry: non-retriable error *azidentity.AuthenticationFailedError

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

N/A

[benc-uk]

Raised in error

Once I switched to NewManagedIdentityCredential and told it which User Identity to use it worked

[cwe1ss]

It does work with DefaultAzureCredential if you set the AZURE_CLIENT_ID environment variable.

See here for more details: #325 (comment)

[benc-uk]

Yes that would also be a fix, but it varies from SDK to SDK

In my case with Go, that AZURE_CLIENT_ID is checked, but other SDKs provide different routes to specify it

[arkiaconsulting]

This works for me with Azure.Identity 1.9.0, and setting explicitly the Managed Identity client ID to use (because it's a User Managed Identity). Depending on the time when you need these credential, you may source the setting from environment variables instead of from IConfiguration.

var getRuntimeAzureCredentials = () => new ManagedIdentityCredential(Environment.GetEnvironmentVariable("AZURE_CLIENT_ID"));

[AndreaPic]

AZURE_CLIENT_ID
Using AZURE_CLIENT_ID and User assigned managed identities work for me too, but I don't like to add this configuration. I would use User assigned managed identities without any configurations.
I'm using:
"Azure.Identity" Version="1.9.0"
"Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.2.2"

[sec]

We're also facing the same issue - was this fixed somehow becuase issue is closed?

[Kirankumar-thamatam]

I tried all the mentioned solutions/answers, it didn't work for me, tried below solutions

1. DefaultAzureCredential if you set the AZURE_CLIENT_ID environment variable.
2. new ManagedIdentityCredential(Environment.GetEnvironmentVariable("AZURE_CLIENT_ID"));

[fvilches17]

The reasons for this issue are multiple, but if it helps anyone, this was my case:

I was using a UserAssignedIdentity + DefaultAzureCredential(), which under the hood chooses the ManagedIdentity provider when running in the context of an Azure resource (in my case, FunctionApp).

Before

var tokenCredential = new DefaultAzureCredential();

// rest of code ...

After

var defaultCredentialOptions = new DefaultAzureCredentialOptions { ManagedIdentityClientId = "<guid of my user assigned identity's client id>" };

var tokenCredential = new DefaultAzureCredential(defaultCredentialOptions);

// rest of code ...

Reason: looks like because one or more UserAssignedIdentity can be assigned to an Azure Resource, we have to be explicit about which one to use.

Hope this helps someone.