Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support for user assigned identity for App Service MSI

See original GitHub issue

Per https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity, the Azure App Service token URL, as accessed by MSI_ENDPOINT supports an optional parameter named clientid to select which User-Assigned Identity to use.

The current call to that endpoint does not pass through the clientid parameter for App Service MSI, only for VM IMDS endpoint calls. See: https://github.com/Azure/azure-sdk-for-net/blob/psSdkJson6/src/SdkCommon/AppAuthentication/Azure.Services.AppAuthentication/TokenProviders/MsiAccessTokenProvider.cs#L56

This means that effectively, Microsoft.Azure.Services.AppAuthentication 1.2.0-preview cannot be used to retrieve tokens for user-assigned MSI on Azure App Service / Azure Functions.

I think this is a relatively simple change to add the clientid parameter to the app service MSI call

Would you be open to a PR (with tests, of course) to add this feature?

Issue Analytics

State:
Created 5 years ago
Reactions:7
Comments:7 (5 by maintainers)

Top GitHub Comments

2reactions

nonik0commented, Mar 11, 2019

FYI this support is added in 1.2.0-preview2.

1reaction

michaelwstarkcommented, Jan 25, 2019

@noelbundick The workaround should be pretty similar with or without key vault – internally the callback just calls the same method you have referenced in your original comment.

Unfortunately, I can’t answer the question regarding the contribution PR as I don’t own or maintain this repo. I would hope the maintainers would welcome the contribution, but they would have to confirm. I’m just another developer that wanted to use user assigned MSI and ran into this issue.

Top Results From Across the Web

Managed identities - Azure App Service

A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities. The ......

Use managed identities to access App Configuration

Access your App Services resource in the Azure portal. · Scroll down to the Settings group in the left pane, and select Identity....

Use Managed Identities in App Service with HTTP REST ...

Under App Service's Identity, enable system-assigned identity or user-assigned identity. Then add it to target resource's Access control (IAM).

App service to app service auth in Azure using Managed ...

Managed Identity only provides your app service with an identity (without ... This role assignment works for Azure RBAC and help in giving ......

Managed Identities with Azure AD (Active Directory) Tutorial

Using Managed Identity with App Service - https://docs.microsoft.com/en-us/azure/ app - service /overview-managed- identity ?tabs=dotnet?