Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[KeyVault] Keyvault access is broken in newer version on Managed Identity

See original GitHub issue

Package Name: @azure/identity
Package Version: 4.4.0
Operating system: Windows 10
nodejs
- version: 8.17
browser
- name/version:
typescript
- version: 3.9.5
Is the bug related to documentation in
- README.md
- source code documentation
- SDK API docs on https://docs.microsoft.com

Describe the bug When using DefaultAzureCredential on a Managed Identity machine(azure vms), the credentials throw error while trying to access keyvault.SecretClient(url, cred). This makes complete inaccessibility of keyvault secrets.

To Reproduce Steps to reproduce the behavior:

On a managed identity use the following code to reproduce the issue.

const identity = require("@azure/identity");
const keyvault = require("@azure/keyvault-secrets");
const credentials = new identity.DefaultAzureCredential();
const vaultName = <yourVaultName>;
const vaultUrl = `https://${vaultName}.vault.azure.net`;
try{
  const client = new keyvault.SecretClient(vaultUrl, credentials);
  const secretValue= await client.getSecret(<secretName>);
} catch (e) {
  throw new Error("Failed accessing secrets from Key-vault: ", e);
}

Expected behavior The above code snippet should not throw any errors, when all the resources are aligned properly. Note that the above snippet gives error in v4.4.x while v4.3.x works like charm.

Screenshots N/A

Additional context The sdk is tested on a managed identity machine, and previous version seems to be working file. NB: for Microsoft support team, you can refer to a ticket with TrackingID#2204050050000883, without disclosing further details.(confidential)

Issue Analytics

State:
Created a year ago
Comments:14 (8 by maintainers)

Top GitHub Comments

3reactions

maorlegercommented, May 16, 2022

Hi @ashut0shk - thanks for the verbose logging, this was really helpful!

I now noticed that in the issue description you mentioned you’re using Node 8.x - is that correct?

If so, we no longer support Node 8.x as it is outside of our support policy - we highly recommend upgrading to a Node version that is maintained. Please feel free to refer to the Node.JS releases page for information about what versions are currently maintained by the community. Production applications should only use Active LTS or Maintenance LTS releases.

For more context - the URL class was made available on the global object as of Node 10.x and so the underlying error is likely to be “URL is not a function” (or something similar).

There is an issue here though - since we catch any exception and return this blanket “the challenge authorization URI … is invalid” we are likely masking errors such as this. Maybe we should revisit that and either:

Let the original error message bubble up to the user instead of masking it
Only catch a specific error type when the URL truly is invalid, letting other error bubble up to the surface

Note to the team: All of this assumes this really is a Node 8 issue, and the author of the issue will confirm

2reactions

sadasantcommented, May 10, 2022

@maorleger The multi-tenant feature was added through these two PRs:

To disable it, one can set the environment variable AZURE_IDENTITY_DISABLE_MULTITENANTAUTH. That could help us identify whether the multi-tenant feature is at fault.