Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[QUERY] Exception when migrating from ADAL to MSAL for Managed Identity resources (Azure.Identity library)
See original GitHub issueQuery/Question Hello,
I am seeing the following exception after migrating to Azure.Identity as part of ADAl to MSAL migration. Here’s the error message I am seeing:
2021-08-17 23:09:09.613287: An error occurred while starting the application.
2021-08-17 23:09:09.613318: ArgumentException: Connection string RunAs=App;AppId=436b3fb3-eb25-42ae-a376-d50202efbf86 is not valid. Must contain 'TenantId' attribute and it must not be empty.
2021-08-17 23:09:09.613352: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.ValidateAttribute(Dictionary<string, string> connectionSettings, string attribute, string connectionString)
2021-08-17 23:09:09.613381:
2021-08-17 23:09:09.613405:
2021-08-17 23:09:09.613422:
2021-08-17 23:09:09.613449: ArgumentException: Connection string RunAs=App;AppId=436b3fb3-eb25-42ae-a376-d50202efbf86 is not valid. Must contain 'TenantId' attribute and it must not be empty.
2021-08-17 23:09:09.613473:
2021-08-17 23:09:09.613594:
2021-08-17 23:09:09.613621: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.ValidateAttribute(Dictionary<string, string> connectionSettings, string attribute, string connectionString)
2021-08-17 23:09:09.613653:
2021-08-17 23:09:09.613678:
2021-08-17 23:09:09.613701:
2021-08-17 23:09:09.613733: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.Create(string connectionString, string azureAdInstance)
2021-08-17 23:09:09.613755:
2021-08-17 23:09:09.613771:
2021-08-17 23:09:09.613791:
2021-08-17 23:09:09.613814: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider..ctor(string connectionString, string azureAdInstance)
2021-08-17 23:09:09.613835:
2021-08-17 23:09:09.613931:
2021-08-17 23:09:09.613961:
2021-08-17 23:09:09.613980: Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationOptions..ctor(string vault)
2021-08-17 23:09:09.614003:
2021-08-17 23:09:09.614021:
2021-08-17 23:09:09.614042:
2021-08-17 23:09:09.614061: Microsoft.Extensions.Configuration.AzureKeyVaultConfigurationExtensions.AddAzureKeyVault(IConfigurationBuilder configurationBuilder, string vault, IKeyVaultSecretManager manager)
2021-08-17 23:09:09.614083:
2021-08-17 23:09:09.614101:
2021-08-17 23:09:09.614122:
2021-08-17 23:09:09.614140: CCP.PTT.TrustDomainService.Program+<>c.<CreateHostBuilder>b__1_0(HostBuilderContext context, IConfigurationBuilder config) in Program.cs
2021-08-17 23:09:09.614161:
2021-08-17 23:09:09.614178:
2021-08-17 23:09:09.614198:
2021-08-17 23:09:09.614219: Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()
2021-08-17 23:09:09.614243:
2021-08-17 23:09:09.614270:
2021-08-17 23:09:09.614290:
2021-08-17 23:09:09.614307: Microsoft.Extensions.Hosting.HostBuilder.Build()
2021-08-17 23:09:09.614327:
2021-08-17 23:09:09.614356:
2021-08-17 23:09:09.614376:
2021-08-17 23:09:09.614394: CCP.PTT.TrustDomainService.Program.Main(string[] args) in Program.cs
2021-08-17 23:09:09.614416:
2021-08-17 23:09:09.614433:
2021-08-17 23:09:09.614446:
2021-08-17 23:09:09.614468: CCP.PTT.TrustDomainService.Program.<Main>(string[] args)
2021-08-17 23:09:09.614485:
2021-08-17 23:09:09.614505:
2021-08-17 23:09:09.614522:
2021-08-17 23:09:09.614543:
2021-08-17 23:09:09.614560:
2021-08-17 23:09:09.614580:
2021-08-17 23:09:09.614597:
2021-08-17 23:09:09.614617:
2021-08-17 23:09:09.614634: Show raw exception details
2021-08-17 23:09:09.614655:
2021-08-17 23:09:09.614673:
2021-08-17 23:09:09.614713: System.ArgumentException: Connection string RunAs=App;AppId=436b3fb3-eb25-42ae-a376-d50202efbf86 is not valid. Must contain 'TenantId' attribute and it must not be empty. at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.ValidateAttribute(Dictionary`2 connectionSettings, String attribute, String connectionString) at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.Create(String connectionString, String azureAdInstance) at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider..ctor(String connectionString, String azureAdInstance) at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationOptions..ctor(String vault) at Microsoft.Extensions.Configuration.AzureKeyVaultConfigurationExtensions.AddAzureKeyVault(IConfigurationBuilder configurationBuilder, String vault, IKeyVaultSecretManager manager) at CCP.PTT.TrustDomainService.Program.<>c.<CreateHostBuilder>b__1_0(HostBuilderContext context, IConfigurationBuilder config) in C:\source\CCP.PTT.TrustDomainService\Program.cs:line 62 at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration() at Microsoft.Extensions.Hosting.HostBuilder.Build() at CCP.PTT.TrustDomainService.Program.Main(String[] args) in C:\source\CCP.PTT.TrustDomainService\Program.cs:line 32 at CCP.PTT.TrustDomainService.Program.<Main>(String[] args)
2021-08-17 23:09:09.614758:
2021-08-17 23:09:09.614776:
2021-08-17 23:09:09.614796:
2021-08-17 23:09:09.614825:
2021-08-17 23:09:09.614845:
2021-08-17 23:09:09.614862:
2021-08-17 23:09:09.614896: .NET 5.0.7 X86 v5.0.0.0 | Microsoft.AspNetCore.Hosting version 5.0.7+67acc3d331454956fc06d6de2218a625e3e596f8 | Microsoft Windows 10.0.14393 | Need help?
2021-08-17 23:09:09.614925:
Here’s my code changes:
using System;
using System.Threading.Tasks;
using AspNetCoreRateLimit;
using Azure.Core;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using CCP.PTT.TrustDomainService.Data.Infrastructure;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
private static IHostBuilder CreateHostBuilder(string[] args)
{
// For local debugging, az login is required for authentication.
return Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
var builtConfig = config.Build();
var defaultClientCredentialOptions = new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true };
var credential = new DefaultAzureCredential(defaultClientCredentialOptions);
string keyVaultName = builtConfig["KeyVault:Name"];
string endpointSuffix = builtConfig["EndpointSuffix:Name"];
var keyVaultClient = new UnifiedKeyVaultClient($"https://{keyVaultName}{endpointSuffix}", credential);
config.AddAzureKeyVault(
$"https://{keyVaultName}{endpointSuffix}", new DefaultKeyVaultSecretManager());
})
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
});
}
This is the link that mentioned about the Managed Identity changes for Azure resources: https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-5.0#use-managed-identities-for-azure-resources
One thing about the documentation, as mentioned below the “KeyVaultSecretManager” does not seem to compile, I tried the DefaultKeyVaultSecretManager as well but still same issue. config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
Other docs followed: https://docs.microsoft.com/en-us/dotnet/api/overview/azure/app-auth-migration
Environment: Name and version of the Library package used: Azure.Identity: 1.4.1, Azure.Security.KeyVault.Secrets: 4.2.0, Azure.Security.KeyVault.Certificates: 4.2.0 Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects): .NET SDK (reflecting any global.json): Version: 5.0.303 Commit: 6409b42649 Runtime Environment: OS Name: Windows OS Version: 10.0.19043 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\5.0.303\ Host (useful for support): Version: 5.0.9 Commit: 208e377a53 .NET SDKs installed: 3.0.103 [C:\Program Files\dotnet\sdk] 3.1.412 [C:\Program Files\dotnet\sdk] 5.0.104 [C:\Program Files\dotnet\sdk] 5.0.302 [C:\Program Files\dotnet\sdk] 5.0.303 [C:\Program Files\dotnet\sdk] .NET runtimes installed: Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.29 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.29 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.18 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.29 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.18 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.17 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.18 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.8 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.9 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] IDE and version : [e.g. Visual Studio 16.3] Visual Studio 16.10.4
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I found a similar issue on the above error message I posted: https://github.com/Azure/azure-sdk-for-net/issues/13564. Adding an env variable AZURE_CLIENT_ID and setting it to the Managed Identity client id solved the issue. Thank you for your help! @christothes @heaths
Based on your image:
It seems you’re calling the old extension methods to add a
SecretClient. You need to use the newer extension methods. But it would also help to look at the method signature. I assume it takes anIKeyVaultClientor something like that, which is the old Microsoft.Azure.KeyVault that is deprecated.