azure-sdk-for-java icon indicating copy to clipboard operation
azure-sdk-for-java copied to clipboard
verified publisher icon Azure

Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available

Open SwatiBaffle opened this issue 1 year ago • 8 comments

a) Set up postgres database with managed identity b) add this managedIdentity in database psql "host= dbname=postgres user= password=$PGPASSWORD" -c "select * from pgaadauth_create_principal_with_oid(,, 'service', false, false);"

b) Create app which will create JDBC connectivity using postgres db(enabled workload identity) c) Deploy this app using K8 env and verify the flow with JDBC connection k8 already using azure.workload.identity/use: "true" as well as for Service account - azure.workload.identity/client-id:

There are two issue which is faced during this setup

  1. token generation for password of database is using below code snippet TokenCredential managedIdentityCredential = (new ManagedIdentityCredentialBuilder()).clientId(clientId).build(); String accessToken = ((AccessToken)managedIdentityCredential.getToken((new TokenRequestContext()).addScopes(new String[]{"https://ossrdbms-aad.database.windows.net/.default"})).block()).getToken();

which error out as below ERROR ManagedIdentityCredential:553 - Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available.

  1. Second thing with SSL mode, jks file has info about SSL certificate used by postgres db error out as below org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints

Looking for reference doc and step here
create postgres database with workload identity create JDBC app to connect with postgres database

SwatiBaffle avatar Apr 04 '24 16:04 SwatiBaffle

@billwert @g2vinay

github-actions[bot] avatar Apr 04 '24 16:04 github-actions[bot]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

github-actions[bot] avatar Apr 04 '24 16:04 github-actions[bot]

We also have the same problem. It seems like the azure-identity-extensions for Java used for authenticating is not supporting Workload Identity. I also opened a issue yesterday

The auth flow for azure-identity usually looks like: Environment -> Workload Identity -> managed Identity -> ... rest of methods. For the azure-identity-extensions the Workload Identity step is completely missing from the flow, thus it is still required to use Managed Identity which is deprecated

fyi: https://github.com/Azure/azure-sdk-for-java/issues/39540

mschmidt291 avatar Apr 05 '24 07:04 mschmidt291

Hello @SwatiBaffle

We'll take a look at this and get back to you soon.

billwert avatar Apr 05 '24 22:04 billwert

Any Update here

SwatiBaffle avatar Apr 16 '24 19:04 SwatiBaffle

Any update on this issue? I am also facing same issue..I am using using azure-identity library with version 1.12.0. I have followed all the steps to enabled workload-identity as mentioned in https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster. Following is the snippet of code I am using -

DefaultAzureCredential managedIdentityCredentialUserAssigned = new DefaultAzureCredentialBuilder() .managedIdentityClientId("bd947a20-baf1-4009-ab9a-c8aa361527a6").build();

        AccessToken accessToken = managedIdentityCredentialUserAssigned
                .getToken(new TokenRequestContext().setTenantId(tenantId)).block();
        String token = accessToken.getToken();
        logger.info("token : {}", token);

Here bd947a20-baf1-4009-ab9a-c8aa361527a6 is clientId corresponding to the managed Identity. managedIdentityCredentialUserAssigned.getToken() is throwing following error -

[DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.

Is this a defect in Azure SDK for java as discussed above?

yashpalslathia21 avatar May 09 '24 06:05 yashpalslathia21

Use the WorkloadIdentityCredential to target WorkloadIdentity directly.


TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();

If the issue persists, checn and respond with the env vars available in the cluster to verify workload identity is available.

g2vinay avatar Jul 29 '24 17:07 g2vinay

Use the WorkloadIdentityCredential to target WorkloadIdentity directly.

TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();

If the issue persists, checn and respond with the env vars available in the cluster to verify workload identity is available.

Please share some snippet of code which show how jdbc client with workload identity works with workload identity. How Token request get generated further this line TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();

That's will be helpful

SwatiBaffle avatar Jul 29 '24 20:07 SwatiBaffle