Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@azure/identity does not work with AAD Pod Identity on first request

See original GitHub issue

@azure/identity
1.2.2
Azure Kubernetes Service (AKS)
[ x] Node.js
- 14.15.0

Describe the bug We have a series of Node.js microservices running in AKS. To avoid credential storage in applications, we are using AAD Pod Identity within our cluster for connecting to Azure resources such as Azure Postgres Server and Azure Service Bus.

The first request for a token is always too slow to be established by AAD Pod Identity and there isn’t a way for the Identity to wait for it to be created so the application throws an error. One the second request it works fine.

This is problematic as every first deployment will always fail first attempt.

To Reproduce Steps to reproduce the behavior:

Taking Service Bus as an example if we do the following simplified version of our code:

const credentials = new DefaultAzureCredential() // also tried going straight for ManagedIdentityCredential() too
const client = new ServiceBusClient(myServiceBusInstance, credentials)
const sender = client.createSender(myQueue)
await sender.sendMessage(myMessage)

The last line will throw the following error on the first attempt, but will work second attempt.

Error: EnvironmentCredential is unavailable. Environment variables are not fully configured.
Error: ManagedIdentityCredential - No MSI credential available
Error: Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.
Error: Visual Studio Code credential requires the optional dependency 'keytar' to work correctly
    at DefaultAzureCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:285:29)
    at Generator.throw (<anonymous>)
    at rejected (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:115:69) {
  errors: [
    CredentialUnavailable [Error]: EnvironmentCredential is unavailable. Environment variables are not fully configured.
        at EnvironmentCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:896:27)
        at Generator.next (<anonymous>)
        at /home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:117:75
        at new Promise (<anonymous>)
        at Object.__awaiter (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:113:16)
        at EnvironmentCredential.getToken (/home/node/node_modules/@azure/identity/dist/index.js:862:22)
        at DefaultAzureCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:272:52)
        at Generator.next (<anonymous>)
        at /home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:117:75
        at new Promise (<anonymous>),
    CredentialUnavailable [Error]: ManagedIdentityCredential - No MSI credential available
        at ManagedIdentityCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:1221:19)
        at Generator.next (<anonymous>)
        at fulfilled (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:114:62)
        at processTicksAndRejections (internal/process/task_queues.js:93:5),
    CredentialUnavailable [Error]: Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.
        at /home/node/node_modules/@azure/identity/dist/index.js:1403:43,
    CredentialUnavailable [Error]: Visual Studio Code credential requires the optional dependency 'keytar' to work correctly
        at VisualStudioCodeCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:1604:23)
        at Generator.next (<anonymous>)
        at fulfilled (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:114:62)
  ]
}

Expected behavior I’d expect the client should wait for the credential or should have the option to retry if unavailable.

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:13 (12 by maintainers)

Top GitHub Comments

2reactions

HarshaNallurucommented, Jan 29, 2021

Thanks for the detailed comments @johnwatson484. I’ll look into the parts that need to be added to service-bus.

1reaction

sadasantcommented, Feb 23, 2021

Thank you @HarshaNalluru

@johnwatson484 The solution we recommend is what we shared above, to add this to your architecture (where we use it):

      initContainers:
      - name: wait-for-imds  # this container exits successfully when the IMDS endpoint returns 200 when asked for a
        image: busybox:1.31  # Key Vault token, guaranteeing IMDS is configured and ready before the test runs
        command: ['sh', '-c', 'wget "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.azure.net&api-version=2018-02-01" --header "Metadata: true" -S --spider -T 6']

Adding retrying mechanisms in our libraries for authentication is something we’re trying to avoid. We will be coordinating with our team to document this recommendation more visibly to our users in general. I’ve made an issue to follow up on the documentation side: https://github.com/Azure/azure-sdk-for-js/issues/13948

Once again, thank you for your time making this issue. Please let us know if we can help with anything else! Take care.