Consistent 400 response code followed by 200 when using ManagedIdentityCredential

The resource is indeed keyvault, and we run on K8S with VMSS which has a user assigned identity. Since the second request consistently returns 200 and the 400 has no real impact on us, I think the issue can be closed for now, and in case I will see that it causes any problem, I will reopen.

@guy-microsoft

• Which azure resource are you trying to access? If it is keyvault, then it does return 401 by design. In case of Kubernetes too, if you are seeing the 400 response consistently, it may happen that the pods might take some time initially to warm up and the imds endpoint might not be available.

• You could either add a retry (though we do have the retry in our identity code) or slight initial delay and see if it helps? Let me know if this works for you.

• In order to verify how many retries are done by the @azure/identity library, you could add this code snippet - In package.json dependencies section add : “@azure/logger”: “^1.0.3”

If you are using JS, add this code snippet:

const logger = require("@azure/logger");
logger.setLogLevel("info");

OR if you are using TS, add this code snippet:

import { setLogLevel } from "@azure/logger";
// set up the log level to enable the logger
setLogLevel("info");

After running the code, check the logs and look for the retry policy azure:core-rest-pipeline retryPolicy:info Retry 0

• Also are you using Kubernetes or Azure VM for managed identity?

• A verification for endpoint availability check that you can run on your end - if you are using managed identity on VM - When you receive the 400 response from the sdk, you should also receive the 400 response when you try this curl command - https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/TROUBLESHOOTING.md#verify-imds-is-available-on-the-vm which shows that the endpoint is not available.