Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Azure.Identity 1.5.0 freezes up ChainedTokenCredential with ManagedIdentityCredential listed first in local dev

See original GitHub issue

Describe the bug

Immediately after upgrading Azure.Identity from 1.4.1 to 1.5.0, I noticed all my web projects freeze up at startup in local dev (VS Kestrel).

In my host builder inside Program.cs, I have

var tokenCred = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());

var secretClient = new SecretClient(
                        new Uri($"https://my-keyvault.vault.azure.net/"),
                        tokenCred);

var certificatesClient = new CertificateClient(
                        new Uri($"https://my-keyvault.vault.azure.net/"),
                            tokenCred);

config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());

...//load some necessary secret/certs etc

Note that I use ChainedTokenCredential with ManagedIdentityCredential listed first, followed by AzureCliCredential. This would ensure that when the project runs in Azure, managed identity is immediately used. In local dev, managed identity is attempted first which would fail quickly, then AzureCliCredential is successfully used next.

Expected behavior

Normally, the ManagedIdentityCredential should fail quickly (within a second or so) when running in local dev environment, which allows the chained credential to fall through to the next available credential.

Actual behavior

Something changed in Azure.Identity 1.5.0, which makes the program freeze up at ManagedIdentityCredential in local dev for a minute+. No exception/error messages (except Kestrel would time out, saying host is unable to start). But eventually, AzureCliCredential hits and code flows through. Maybe the timetout on ManagedIdentityCredential was misconfigured in the newer package.

Environment:

  • Azure.Identity 1.5.0
  • Visual Studio 2022 RC1
  • ASP.NET Core Web API and Razor projects set to start up via Kestrel

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:22 (10 by maintainers)

github_iconTop GitHub Comments

1reaction
heldersousa-planetpaymentcommented, Oct 18, 2022

Hi @christothes

I can provide my details.

My service is using DefaultAzureCredential without any other options and running the code on my laptop (local development), using VS 2022.

I’ve done az login in the command line to cache my personal credentials to access Azure Resources. If I run it from the command line using dotnet run (not using VS 2022 at all), I get the same behaviour.

I observed the delay with connections to Azure Key Vault and Azure Service Bus.

Following is sample code connecting to KeyVault. You can see from the logs that it takes 10 seconds when ManagedIdentityCredential is not excluded vs 3 seconds when ManagedIdentityCredential is excluded.

Sample code 1

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

Console.WriteLine($"{DateTime.Now} Creating client for key vault");
var secretClient = new SecretClient(new Uri("https://mykeyvault.vault.azure.net/"), new DefaultAzureCredential());
Console.WriteLine($"{DateTime.Now} Getting entry from key vault");
var v1 = secretClient.GetSecretAsync("key1").Result.Value;
Console.WriteLine($"{DateTime.Now} Done");
Console.WriteLine($"{DateTime.Now} Getting another entry from key vault");
var v2 = secretClient.GetSecretAsync("key2").Result.Value;
Console.WriteLine($"{DateTime.Now} Done");

Logs (10 seconds to get the first key)::

19/10/2022 00:37:41 Creating client for key vault
19/10/2022 00:37:41 Getting entry from key vault
19/10/2022 00:37:51 Done
19/10/2022 00:37:51 Getting another entry from key vault
19/10/2022 00:37:51 Done

Sample code 2 (ExcludeManagedIdentityCredential = true)

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

Console.WriteLine($"{DateTime.Now} Creating client for key vault");
var secretClient = new SecretClient(new Uri("https://mykeyvault.vault.azure.net/"), new DefaultAzureCredential(
    new DefaultAzureCredentialOptions()
    {
        ExcludeManagedIdentityCredential = true
    }));
Console.WriteLine($"{DateTime.Now} Getting entry from key vault");
var v1 = secretClient.GetSecretAsync("key1").Result.Value;
Console.WriteLine($"{DateTime.Now} Done");
Console.WriteLine($"{DateTime.Now} Getting another entry from key vault");
var v2 = secretClient.GetSecretAsync("key2").Result.Value;
Console.WriteLine($"{DateTime.Now} Done");

Logs (3 seconds to get first key):

19/10/2022 00:40:26 Creating client for key vault
19/10/2022 00:40:26 Getting entry from key vault
19/10/2022 00:40:29 Done
19/10/2022 00:40:29 Getting another entry from key vault
19/10/2022 00:40:29 Done

Packages in my project (same behaviour with Azure.Identity 1.8.0-beta.1 and 1.9.0-beta.1):

    <PackageReference Include="Azure.Identity" Version="1.7.0" />
    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.4.0" />

System Info

C:\Users\helder.sousa>dotnet --version
6.0.400

C:\Users\helder.sousa>systeminfo
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.19044 N/A Build 19044
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
System Manufacturer:       Dell Inc.
System Model:              Latitude 5420
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 140 Stepping 1 GenuineIntel ~1805 Mhz
BIOS Version:              Dell Inc. 1.19.0, 16/06/2022
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
Total Physical Memory:     32,497 MB
Available Physical Memory: 8,189 MB
Virtual Memory: Max Size:  46,833 MB
Virtual Memory: Available: 14,541 MB
Virtual Memory: In Use:    32,292 MB
Hotfix(s):                 20 Hotfix(s) Installed.
                           [01]: KB5017022
                           [02]: KB4562830
                           [03]: KB4570334
                           [04]: KB4577266
                           [05]: KB4577586
                           [06]: KB4580325
                           [07]: KB5000736
                           [08]: KB5003791
                           [09]: KB5012170
                           [10]: KB5017308
                           [11]: KB5006753
                           [12]: KB5007273
                           [13]: KB5011352
                           [14]: KB5011651
                           [15]: KB5014032
                           [16]: KB5014035
                           [17]: KB5014671
                           [18]: KB5015895
                           [19]: KB5016705
                           [20]: KB5005699


C:\Users\helder.sousa> wmic cpu get caption, name, deviceid, numberofcores, maxclockspeed, status
Caption                                DeviceID  MaxClockSpeed  Name                                            NumberOfCores  Status
Intel64 Family 6 Model 140 Stepping 1  CPU0      1805           11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz  4              OK
1reaction
christothescommented, Sep 16, 2022

Hi @heldersousa-planetpayment - I think the reason that the distinct DefaultAzureCredential works relatively the same as the reused example is that, under the covers, when you don’t pass any options to DefaultAzureCredential you actually get a static singleton each time.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Azure ChainedTokenCredential Fails after Password Change
I've been using ChainedTokenCredential for several weeks to authenticate using ManagedIdentityCredential in Azure and DefaultAzureCredential ...
Read more >
Azure Identity client library for Java
The Azure Identity library provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK. It provides a set ...
Read more >
azure-identity
The Azure Identity library focuses on OAuth authentication with Azure AD. It offers various credential classes capable of acquiring an Azure AD access...
Read more >
Azure Identity client library for .NET - Microsoft .NET
Credentials can be chained together to be tried in turn until one succeeds using the ChainedTokenCredential ; see chaining credentials for details. Note:...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ResourceGroup - how do I get a list of resources of all types?

Next page

[BUG]DataLakeFileClient UploadAsync function cannot execute successfully if the storage account enable soft delete feature.