azure-sdk-for-net [BUG] Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed.

Library name and version

Azure.Messaging.ServiceBus 7.11.1

Describe the bug

Using a System Assigned Managed Identity, I can create a ServiceBusClient, but when I'm trying to create a Queue, it is throwing an error:

//this works var credential = new DefaultAzureCredential(); var client = new ServiceBusClient("xx.servicebus.windows.net", credential);

//this throws an error: var credential = new DefaultAzureCredential(); var manager = new ServiceBusAdministrationClient("xx.servicebus.windows.net", credential);

PS: I've added the system assigned managed identity to "Azure Service Bus Data Owner"

Expected behavior

The system assigned managed identity should be able to create queues as "Azure Service Bus Data Owner" member

Actual behavior

It's throwing a very large error:

Azure.Identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.EnvironmentCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.EnvironmentCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)

Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) Content: Headers: Date: Wed, 30 Nov 2022 19:51:23 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ---> Azure.RequestFailedException: Service request failed. Status: 400 (Bad Request) Content: Headers: Date: Wed, 30 Nov 2022 19:51:23 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AppTokenProviderImpl(AppTokenProviderParameters parameters) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.SendTokenRequestToProviderAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken) at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) Content: Headers: Date: Wed, 30 Nov 2022 19:51:23 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ---> Azure.RequestFailedException: Service request failed. Status: 400 (Bad Request) Content: Headers: Date: Wed, 30 Nov 2022 19:51:23 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AppTokenProviderImpl(AppTokenProviderParameters parameters) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.SendTokenRequestToProviderAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken) at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder1 builder, Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.SendHttpRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.GetEntityAsync(String entityPath, String query, Boolean enrich, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.ServiceBusAdministrationClient.QueueExistsAsync(String name, CancellationToken cancellationToken)

Reproduction Steps

1-Create an App Service 2-Add to it a system assigned Managed identity 3-add the system assigned managed identity to Service Bus Data Owner role:

az role assignment create --assignee $managedIdentity --scope $sbId --role "Azure Service Bus Data Owner"

4-Create a web application 5-add the following controller as a test

[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
    [HttpGet]
    public IActionResult Test()
    {
        try
        {
            var credential = new DefaultAzureCredential();
            var manager = new ServiceBusAdministrationClient("xx.servicebus.windows.net", credential);

            return Ok(manager.QueueExistsAsync("default"));
        }
        catch (Exception ex)
        {
            throw;
        }
        return Ok();
    }
}

6-deploy the application and call the url https://the-name-you-chose.azurewebsites.net/api/values

Environment

azure .net 6 c# azure service bus nuget 7.11.1

Nov 30 '22 21:11 thdotnet

Thank you for your feedback. Tagging and routing to the team member best able to assist.

Nov 30 '22 23:11 jsquire

Can you clarify what the $sbId is here that you are using in the role assignment?

Nov 30 '22 23:11 JoshLove-msft

sure,

sbId=$(az resource list --name sb-name --query [].id -o tsv)

Dec 02 '22 14:12 thdotnet

and this one for the managedIdentity

managedIdentity=$(az functionapp identity show --resource-group rg-name --name app-name --query principalId -o tsv)

Dec 02 '22 14:12 thdotnet

We've been discussing this over email. The next step is to enable SDK logging to see the Identity logs.

Dec 19 '22 20:12 JoshLove-msft

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

Dec 31 '22 02:12 ghost

Hi, is there any update on this? I am also facing a similar issue and blocked. Can you please suggest how can we get rid of this error?

Jan 13 '23 14:01 revisited-18

Hi, is there any update on this? I am also facing a similar issue and blocked. Can you please suggest how can we get rid of this error?

Same, Can anyone please help.

Jan 16 '23 10:01 bornkiraupgrade

We had a similar issue on our end as reported in the original issue, whereby when trying to submit a message on an ASB queue we got the Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) exception. This was only occurring when on Azure as locally (using our Microsoft account) it was working fine.

A resolution to this was via this post, specifically adding a new app configuration key named AZURE_CLIENT_ID containing the managed identity's Client ID.

Jan 18 '23 07:01 chrisportelli

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

Jan 25 '23 08:01 ghost

We had a similar issue on our end as reported in the original issue, whereby when trying to submit a message on an ASB queue we got the Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) exception. This was only occurring when on Azure as locally (using our Microsoft account) it was working fine.

A resolution to this was via this post, specifically adding a new app configuration key named AZURE_CLIENT_ID containing the managed identity's Client ID.

Works for me! Thanks!

Feb 03 '23 04:02 iron9light

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

Feb 10 '23 08:02 ghost

Hi, is there any update on this? I am also facing a similar issue and blocked. Can you please suggest how can we get rid of this error?

For Arun and me, we removed clientId which was being passed in the constructor while instantiating the Cosmos DB client as we were using Managed Identity. This worked for us.

Feb 10 '23 10:02 revisited-18

I just had the same issue, we passed clientId to ManagedIdentityCredential and it failed. Just changed it to new DefaultAzureCredential() and the AZURE_CLIENT_ID env var and then it worked. The code also runs locally so DefaultAzureCredential is the more general solution for us anyway.

Feb 10 '23 10:02 christiansparre

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

Feb 17 '23 14:02 ghost

Commenting on this as I had a similar issue. We are using a function app, with a service bus queue trigger function that uses a user assigned managed identity connection to connect to the service bus queue.

I was getting authentication failed (Bad request) errors for the managed identity connection.

Adding the AZURE_CLIENT_ID ,mentioned by @chrisportelli, as an app setting in the function app fixed the issue! There isn't any reference to this in the microsoft docs.

(https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial-2)

Mar 01 '23 09:03 Robinlievrouw

Having the same issue with an app service.

In our program.cs we registered the keyvault as a configuration provider.

 public static IHostBuilder CreateHostBuilder(string[] args)
        {
            return Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder
                        .UseSerilog()
                        .CaptureStartupErrors(true)
                        .UseStartup<Startup>();
                }).ConfigureAppConfiguration((context, config) =>
                {

                    var builtConfig = config.Build();
                    var secretClient = new SecretClient(
                        new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                        new DefaultAzureCredential());
                    config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
                    config.AddUserSecrets<Startup>(optional: true);
                });
        }

Works fine locally. But gives an error on Azure.

Application '/LM/W3SVC/2126425026/ROOT' with physical root 'C:\home\site\wwwroot\' hit unexpected managed exception, exception code = '0xe0434352'. First 30KB characters of captured stdout and stderr logs: Unhandled exception. Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) Content: Headers: Date: Wed, 01 Mar 2023 14:16:52 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ---> Azure.RequestFailedException: Service request failed. Status: 400 (Bad Request) Content:

Mar 01 '23 14:03 woeterman94

I solved it by enabling the system assigned identity for the app service. (it's under settings -> identity)

Mar 01 '23 15:03 woeterman94

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

Mar 09 '23 08:03 ghost

Having a similar issue. Did the following:

Configured system managed identity to an azure function that need to update alerts.
Gave the identity Contributor rights to the application insights.
Added the AZURE_CLIENT_ID to configuration
used the following code to get token

        public async Task<string> GetAccessTokenAsync(string resourceId)
        {
            if (System.Diagnostics.Debugger.IsAttached)
                return LOCAL_TOKEN;
            var tokenCredential = new DefaultAzureCredential();
            var accessToken = await tokenCredential.GetTokenAsync(
                new TokenRequestContext(scopes: new string[] { $"{resourceId}/.default" }) { }
            );
            return accessToken.Token;
        }

It throws the following error

Very frustrated -- could use some advice

Apr 14 '23 17:04 JasonDWilson

azure-sdk-for-net azure-sdk-for-net copied to clipboard

[BUG] Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed.

Library name and version

Describe the bug

Expected behavior

Actual behavior

Reproduction Steps

Environment

azure-sdk-for-net
azure-sdk-for-net copied to clipboard