Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Managed Identity - DefaultAzureCredential - RestError: [TokenExpired] Error validating token: 'S2S12086'
See original GitHub issue- Package Name:
@azure/identity- Package Version:
^2.0.0- Operating system:
- Linux
- nodejs
- version: 16.x
- browser
- name/version:
- typescript
- version:
- Is the bug related to documentation in
- README.md
- source code documentation
- SDK API docs on https://docs.microsoft.com
Describe the bug
Hello
I have a Node.js application running in App Service that needs to fetch secrets from a KeyVault. This App Service has a Managed Identity. Here’s the relevant pseudo code :
const secretClient = new SecretClient(this.keyVaultUrl, new DefaultAzureCredential());
const secret = (await secretClient.getSecret(secretName))?.value;
This has been working great for months, but suddently about 10 days ago, our app wasn’t able to fetch secrets anymore. A first basic look at the logs, showed this error message, coming from the underlying library:
RestError: [TokenExpired] Error validating token: 'S2S12086'
We’re using DefaultAzureCredential, which in our case instantiate a ManagedIdentityCredential in the end.
So it looks like that there’s an issue with the token expiration date received by the App Service by the internal Azure issuer.
To better understand what’s happening under the hood, I enabled the maximum verbosity with AZURE_LOG_LEVEL=verbose environment variable.
Then, one particular line looks quite suspicious at the end of the token acquisition dance :
azure:identity:info IdentityClient: [http://172.16.2.7:8081/msi/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01] token acquired, expires on NaN
It corresponds to the following line : https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/client/identityClient.ts#L140
The NaN at the end of the log line (which is token.accessToken.expiresOnTimestamp) looks quite surprising and I think it may be related to the problem we experiencing.
Do you confirm this intuition? Thanks.
Issue Analytics
- State:
- Created a year ago
- Reactions:4
- Comments:20 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi again patient friends, I would like to update this thread with the news that my fix was released as part of
@azure/identity3.0.0 yesterday. 🎉I believe this should hopefully resolve the issue, so in my optimism I am going to resolve but please let me know if you are still having issues with token expiration!
Just lost 2 days troubleshooting this 😔
As reported by multiple people above, on version 2.1.0 sometimes the expiresOnTimestamp is
NaN, which caused our internal refresh logic to fail and never refresh it, so after 24h the token became invalid and we were still trying to use it.For context, we’re using App Service with user-assigned managed identity.