Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] DefaultAzureCredential doesn't determine default single User Assigned Managed Identity in Azure App Service

See original GitHub issue

DefaultAzureCredential doesn’t work in Azure App Service with default single User Assigned Managed Identity

TLDR: Web app is deployed as Azure App Service, targets full .NET Framework 4.7.2 and uses MicrosoftConfigurationBuilders package to get config values/secrets from Azure App Configuration. This package does this in order to connect to Azure App Configuration. This works fine when App Service uses System Assigned Managed Identity but fails with 400 BadRequest when single User Assigned Managed Identity is used.

Expected behavior DefaultAzureCredential determines that there’s no System Assigned identity, but there’s single User Assigned identity and uses that one. No exception.

Actual behavior (include Exception or Stack Trace)

System.Exception: Error in Configuration Builder ‘AzureAppConfiguration’::GetValue(test-key) —> System.AggregateException: One or more errors occurred. —> Azure.Identity.AuthenticationFailedException: DefaultAzureCredential authentication failed. —> Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed. —> Azure.RequestFailedException: Service request failed. [04/07/2020 13:12:59 > 3dc77f: INFO] Status: 400 (Bad Request)

To Reproduce Please download the .zip from here, open in VS 2019 .sln (you can use this as part of repro steps)that can be used as repro:

Create Azure App Service Plan with Azure Service in it.
Create Azure App Configuration
Create Azure User Managed Identity. Make sure that it has ‘Azure App Configuration Data Reader’ role in Azure App Configuration created in step 2
Make sure that App Service -> General Settings are targeting .NET Framework
Make sure that App Service -> Identity doesn’t have System Assigned identity, but have 1 User Assigned identity created from step 3
Unpack .zip
Open file “sln\TestIdentityWebJobRepro.sln” using Visual Studio 2019
Compile -> Should have no errors
Open \src\TestIdentityConnection\App.config
Replace AzureAppConfigurationUrl with you actual Azure App Configuration URL like: https://<YourAzureAppConfiguration >.azconfig.io
Recompile
Right click on .csproj -> Publish as Azure WebJob…
Publish to Azure App Service created in previous steps

Expected: No issues, configuration is retrieved successfully when using single User Managed Identity

Actual: See exception above.

Environment:

Package id=“Azure.Identity” version=“1.1.1”. NOTE: Tried with latest as well. Issue is still there
Package id=“Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration” version=“1.0.0”
Hosting platform: Azure App Service
.NET Framework 4.7.2
IDE and version : VS 2019

Issue Analytics

State:
Created 3 years ago
Comments:7 (1 by maintainers)

Top GitHub Comments

10reactions

davidallyoungcommented, May 12, 2020

Is the use of AZURE_CLIENT_ID in this way documented officially? The main places I’ve found it are always in context of EnvironmentVariableCredential along with a tenant and secret, which we’re not using. I found it here and it has really helped, but I feel like it should be available in documentation (if it is I just missed it, my bad!). It’s a pretty critical piece to successfully deploying with User MSI (which is super awesome, our team is in love).

I’d like to suggest perhaps this gets added somehow to the table located here https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/README.md#credentials . More than happy to open a PR for this should it be helpful.

4reactions

ChrisFulstowcommented, Jun 3, 2020

Agree with @davidallyoung it’d be great to highlight this in the documentation. Here is the only reference I found to using AZURE_CLIENT_ID for user-assigned managed identity, I also assumed it’d pick up the client ID from my Azure Function’s identity configuration.