Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[FEATURE REQ] ManagedIdentityCredential should fail fast when running outside of Azure

See original GitHub issue

Library name

Azure.Identity

Please describe the feature.

When using DefaultAzureCredential outside of Azure, the ManagedIdentityCredential class retries four times before failing. This adds 8 to 10 seconds to token requests. ManagedIdentityCredential should use a heuristic to determine when the code is not running in Azure (e.g., environment variables, network errors, …), and fail fast.

It is possible to work around this by disabling Managed Identity authentication:

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
    ExcludeManagedIdentityCredential = true
});

I do not like this solution as: a) It is hard to discover – many users may just assume that token requests are slow b) It makes code less portable to Azure c) It is boilerplate code that has to be repeated in each application

Issue Analytics

  • State:open
  • Created a year ago
  • Reactions:19
  • Comments:19 (9 by maintainers)

github_iconTop GitHub Comments

2reactions
heldersousa-planetpaymentcommented, Oct 19, 2022

@christothes I ran the code provided by @jonpayne and you can see the results below.

ManagedIdentityCredential is the main culprit when one runs this code from Visual Studio 2022, but VisualStudioCredential can also be really slow when developers are not using Visual Studio 2022 and do dotnet run from the command line (similar times if code is executed from VS Code).

Running from Visual Studio 2022

DefaultAzureCredential.GetToken                     10099.17 ms
EnvironmentCredential.GetToken                          5.40 ms
ManagedIdentityCredential.GetToken                   6128.55 ms
VisualStudioCredential.GetToken                      3880.83 ms

Running from the command line while Visual Studio 2022 was opened)

C:\Users\helder.sousa> dotnet run
DefaultAzureCredential.GetToken                      7921.18 ms
EnvironmentCredential.GetToken                          1.36 ms
ManagedIdentityCredential.GetToken                   6162.71 ms
VisualStudioCredential.GetToken                      1743.74 ms

Running from the command line (Visual Studio 2022 was closed)

C:\Users\helder.sousa> dotnet run
DefaultAzureCredential.GetToken                     16002.06 ms
EnvironmentCredential.GetToken                          1.79 ms
ManagedIdentityCredential.GetToken                   5434.74 ms
VisualStudioCredential.GetToken                      9548.20 ms
VisualStudioCodeCredential.GetToken                     3.20 ms
AzureCliCredential.GetToken                           993.89 ms

Local environment Windows 10 Enterprise (More system specs in this comment https://github.com/Azure/azure-sdk-for-net/issues/24767#issuecomment-1283153172)

<PackageReference Include="Azure.Identity" Version="1.7.0" />

C:\Users\helder.sousa> dotnet --version
6.0.400
0reactions
JerryBlakecommented, May 22, 2023

@christothes @drdamour,

Hi guys,

I have also hit this issue when using webjobs locally. What drdamour pointed out does seem like an issue, as webjobs extensions does use a DefaultAzureCredentialOptoins when if you don’t set the web job specific configuration in your appsettings.json (or environment vars). This seems like a miss to me as they already are checking with their settings if a customer wants to use a managed identity but fail to remove those from the default check later.

What Chirstothes is saying does work around this issue. If you add the azure client directly with the DI builder (outside of the webjobs builder), web jobs will honor that client instead of creating a new one with the DefaultAzureCredentialsOptions. I think that is the disconnect here in this conversation.

Read more comments on GitHub >

github_iconTop Results From Across the Web

v4 Azure Function isolated process not authenticating to ...
I understand that ManagedIdentityCredential only works when running in Azure and to authenticate when running locally that we have to use ...
Read more >
Azure SDK: What's new in the Azure Identity August 2020 ...
DefaultAzureCredential, provides a simplified authentication experience to quickly start developing applications run in the Azure cloud.
Read more >
App configuration support - Spring Cloud Azure
This article describes the Spring Cloud Azure App Configuration library. This library loads configurations and feature flags from the Azure ...
Read more >
Use managed identities on a virtual machine to acquire ...
Step-by-step instructions and examples for using managed identities for Azure resources on virtual machines to acquire an OAuth access ...
Read more >
Azure Identity client library for JavaScript - version 3.3.0
For users running on a system with a default web browser, the Azure Developer CLI will launch the browser to authenticate the user....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[QUERY] Update the SKU of an App Service Plan

Next page

[Question] Language.QuestionAnswering: DeploymentName other than 'production' not supported.