@azure/identity does not work with AAD Pod Identity on first request
See original GitHub issue- @azure/identity
- 1.2.2
- Azure Kubernetes Service (AKS)
- [ x] Node.js
- 14.15.0
Describe the bug We have a series of Node.js microservices running in AKS. To avoid credential storage in applications, we are using AAD Pod Identity within our cluster for connecting to Azure resources such as Azure Postgres Server and Azure Service Bus.
The first request for a token is always too slow to be established by AAD Pod Identity and there isn’t a way for the Identity to wait for it to be created so the application throws an error. One the second request it works fine.
This is problematic as every first deployment will always fail first attempt.
To Reproduce Steps to reproduce the behavior:
Taking Service Bus as an example if we do the following simplified version of our code:
const credentials = new DefaultAzureCredential() // also tried going straight for ManagedIdentityCredential() too
const client = new ServiceBusClient(myServiceBusInstance, credentials)
const sender = client.createSender(myQueue)
await sender.sendMessage(myMessage)
The last line will throw the following error on the first attempt, but will work second attempt.
Error: EnvironmentCredential is unavailable. Environment variables are not fully configured.
Error: ManagedIdentityCredential - No MSI credential available
Error: Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.
Error: Visual Studio Code credential requires the optional dependency 'keytar' to work correctly
at DefaultAzureCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:285:29)
at Generator.throw (<anonymous>)
at rejected (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:115:69) {
errors: [
CredentialUnavailable [Error]: EnvironmentCredential is unavailable. Environment variables are not fully configured.
at EnvironmentCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:896:27)
at Generator.next (<anonymous>)
at /home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:117:75
at new Promise (<anonymous>)
at Object.__awaiter (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:113:16)
at EnvironmentCredential.getToken (/home/node/node_modules/@azure/identity/dist/index.js:862:22)
at DefaultAzureCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:272:52)
at Generator.next (<anonymous>)
at /home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:117:75
at new Promise (<anonymous>),
CredentialUnavailable [Error]: ManagedIdentityCredential - No MSI credential available
at ManagedIdentityCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:1221:19)
at Generator.next (<anonymous>)
at fulfilled (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:114:62)
at processTicksAndRejections (internal/process/task_queues.js:93:5),
CredentialUnavailable [Error]: Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.
at /home/node/node_modules/@azure/identity/dist/index.js:1403:43,
CredentialUnavailable [Error]: Visual Studio Code credential requires the optional dependency 'keytar' to work correctly
at VisualStudioCodeCredential.<anonymous> (/home/node/node_modules/@azure/identity/dist/index.js:1604:23)
at Generator.next (<anonymous>)
at fulfilled (/home/node/node_modules/@azure/identity/node_modules/tslib/tslib.js:114:62)
]
}
Expected behavior I’d expect the client should wait for the credential or should have the option to retry if unavailable.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:13 (12 by maintainers)
Top GitHub Comments
Thanks for the detailed comments @johnwatson484. I’ll look into the parts that need to be added to service-bus.
Thank you @HarshaNalluru
@johnwatson484 The solution we recommend is what we shared above, to add this to your architecture (where we use it):
Adding retrying mechanisms in our libraries for authentication is something we’re trying to avoid. We will be coordinating with our team to document this recommendation more visibly to our users in general. I’ve made an issue to follow up on the documentation side: https://github.com/Azure/azure-sdk-for-js/issues/13948
Once again, thank you for your time making this issue. Please let us know if we can help with anything else! Take care.