Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Azure.Identity 1.6.0 - AuthenticationFailedException: ManagedIdentityCredential authentication failed: No Managed Identity found
See original GitHub issueLibrary name and version
Azure.Identity 1.6.0
Describe the bug
We make use of Azure Key Vault and use a system-assigned managed identity of the Azure Function to connect to KV at runtime.
With Azure.Identity 1.6.0 we get “AuthenticationFailedException: ManagedIdentityCredential authentication failed: No Managed Identity found for specified ClientId/ResourceId/PrincipalId”
Reverting back to Azure.Identity 1.5.0 fixes it with no other changes our side.
We are using ‘DefaultAzureCredential’ to provide credentials to Key Vault SecretClient.
DefaultAzureCredentialOptions credentialOptions = new DefaultAzureCredentialOptions()
{
ExcludeAzureCliCredential = true,
ManagedIdentityClientId = _configuration.ManagedIdentityClientId
};
SecretClientOptions clientOptions = GetClientOptions();
_client = new SecretClient(new Uri(_configuration.KeyVaultUrl), new DefaultAzureCredential(credentialOptions), clientOptions);
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
Exception: Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: No Managed Identity found for specified ClientId/ResourceId/PrincipalId.
Status: 400 (Bad Request)
at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
at Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
at Azure.Identity.DefaultAzureCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequest(HttpMessage message, TokenRequestContext context)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestInternal(HttpMessage message, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequest(HttpMessage message)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Core.Pipeline.RedirectPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Core.Pipeline.RetryPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
at Azure.Core.Pipeline.HttpPipeline.Send(HttpMessage message, CancellationToken cancellationToken)
at Azure.Core.Pipeline.HttpPipeline.SendRequest(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
at Azure.Security.KeyVault.Secrets.SecretClient.GetSecret(String name, String version, CancellationToken cancellationToken)
at Onsend.Lib.Core.KeyVault.KeyVaultManager.GetSecret(String secretName) in /_/Onsend.Lib/Core/KeyVault/KeyVaultManager.cs:line 117
at Onsend.Lib.Core.KeyVault.KeyVaultSecretProvider.GetSecret(String key, Boolean required) in /_/Onsend.Lib/Core/KeyVault/KeyVaultSecretProvider.cs:line 59
Expected behavior
Gets managed identity.
Actual behavior
Throws exception. AuthenticationFailedException: ManagedIdentityCredential authentication failed: No Managed Identity found for specified ClientId/ResourceId/PrincipalId
Reproduction Steps
Upgrade from Azure.Identity 1.5.0 to 1.6.0
Environment
Azure Functions: FUNCTIONS_EXTENSION_VERSION: ~4 FUNCTIONS_WORKER_RUNTIME: dotnet-isolated
Issue Analytics
- State:
- Created a year ago
- Comments:10 (2 by maintainers)
Top Results From Across the Web
ManagedIdentityCredential authentication failed: No ...
... to ingest data from IoT hub to Digital Twin has the required Azure… ... authentication failed: No Managed Identity found for specified ......
Read more >Azure.Identity.AuthenticationFailedException: ...
Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed ... I have following setup ...
Read more >Azure Identity client library for .NET - Microsoft .NET
The Azure Identity library provides Azure Active Directory token authentication support ... Authenticating as a managed identity requires no configuration, ...
Read more >Function App: Azure.Identity.AuthenticationFailedException
The error relates to Managed Identities in Azure. In Azure, by default an app will have a system-assigned identity which it uses to ......
Read more >Azure.Identity 1.6.0-beta.1
NET. The Azure Identity library provides Azure Active Directory token authentication support across the Azure SDK. It provides a set of ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hello @christothes We have been using system managed identities for about a year now.
Having a look I think this is what may have happened:
We started Azure Functions using user-managed identities but swapped to system-managed identities about a year ago as we wanted to use Key Vault References for secrets that are basically expected to be in the Functions configuration.
Everything seemed to work fine but we did not remove the ManagedIdentityClientId that is passed to our KeyVault SecretClient that is used to look up other secrets at runtime. In most cases the ‘ManagedIdentityClientId’ points to an identity that doesn’t exist, but this all worked fine anyway.
Upgrading from Azure.Identity 1.5.0 to 1.60 seemed to expose this configuration issue, but it wasn’t obvious it was a configuration issue as the only change was a package version update that broke us.
Removing the ManagedIdentityClientId seems to have worked and we have upgraded to 1.7.0 now without the former issue occurring.
Hi @phil000, since you haven’t asked that we “
/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.