azure-sdk-for-net icon indicating copy to clipboard operation
azure-sdk-for-net copied to clipboard

Published 20 hours ago verified publisher icon Azure

[BUG] Can not get secret from KeyVault on account of failing ManagedIdentityCredential GetToken method in Gov and China clouds

Open JacobBovee opened this issue 2 years ago • 2 comments
trafficstars

Library name and version

Azure.Identity 1.8.2, Azure.Security.KeyVault.Secrets 4.4.0

Describe the bug

Hello, we are running into a scenario in the non-public clouds (reproduced in both UsGov and ChinaCloud) in which we are initializing a ManagedIdentityCredential, and using the resulting credential to initialize a secret client which we then use to obtain a secret from KeyVault. Unfortunately our call to GetSecret results in this error:

ManagedIdentityCredential authentication failed: 

 The application is configured for cloud login.microsoftonline.com and the request for a different cloud - login.microsoftonline.us. This is not supported - the app and the request must target the same cloud. 

See https://aka.ms/msal-net-authority-override for details
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot 

 The application is configured for cloud login.microsoftonline.com and the request for a different cloud - login.microsoftonline.us. This is not supported - the app and the request must target the same cloud. 

See https://aka.ms/msal-net-authority-override for details

We have the AuthorityHost set correctly and the managed identity is created in the correct cloud.

Through some manual testing I've found that if we initialize as a DefaultAzureCredential and pass in a managed identity client id the secrets library is able to successfully call GetToken on the DefaultAzureCredential which in turn successfully calls ManagedIdentityCredential's get token method! Here is some telemetry of one of our successful calls vs a failing call, notice that they are both in the end simply calling ManagedIdentityCredential's GetToken method.

09fc7a70-8c76-464f-ac36-54eb3bb2f1bf e493137a-8a8d-4197-bdf3-d0022e4ced58

Thanks for taking a look, really appreciate any insight on this.

Expected behavior

In public cloud we are simply able to call GetSecret and the key vault returns our secret.

Actual behavior

As mentioned above in non-public clouds we are unable to access key vault.

Reproduction Steps

I've managed to reproduce it with just this:

ManagedIdentityCredential credential = new ManagedIdentityCredential("<client-id>", new TokenCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzureGovernment
});
var client = new SecretClient(new Uri("<vault-uri>"), credential);
var secret = await client.GetSecretAsync("<secret-name>");

And here is the code that runs successfully after using a default azure credential:

DefaultAzureCredential credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {
    ManagedIdentityClientId = "<client-id>",
    AuthorityHost = AzureAuthorityHosts.AzureGovernment,
});
var client = new SecretClient(new Uri("<vault-uri>"), credential);
var secret = await client.GetSecretAsync("<secret-name>");

Environment

Seen on both Azure App Service and Azure Service Fabric, both running Windows Server.

JacobBovee avatar Feb 10 '23 18:02 JacobBovee

//cc: @schaabs

jsquire avatar Feb 10 '23 19:02 jsquire

Thank you for your feedback. Tagging and routing to the team member best able to assist.

jsquire avatar Feb 10 '23 19:02 jsquire