Azure
[BUG]Azure.Identity 1.13 Breaks DefaultAzureCredential On DevBox
Library name and version
Azure.Identity 1.13
Describe the bug
My code is using DefaultAzureCredential(true) to authenticate to remote azure resources. After upgrading Azure.Identity to 1.13 a handful of users are noting that they are getting the following error when running inside of Microsoft DevBox:
'ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present
There are no assigned identities to these DevBoxes (we are using the devbox.microsoft.com instances not selfhosted). Downgrading to 1.12 seems to have resolved this issue but putting this bug here as it seems like the detection logic around DefaultAzureCredential may be incorrect in 1.13.
I was under the impression that DefaultAzureCredential was a chained credential and that any failures in the chain would only be thrown back to the user if none of the credentials in the chain succeeded. However, the interactive popup never showed up, also some users have the VSCredential and the MI credential error happens seemingly as soon as it fails.
Expected behavior
Using DefaultAzureCredential(true) inside a DevBox VM with no managed identity would attempt other credentials in the chain before throwing an exception back to the user.
Actual behavior
DefaultAzureCredential(true) throws an exception on DevBoxes if there is no MSI attached to the devbox and doesn't attempt any further credential operations.
Reproduction Steps
- Create a DevBox at (https://devbox.microsoft.com/)
- Create a c# project with Azure.Identity 1.13
- Make a call to
new DefaultAzureCredential(true).GetTokenAsync(<some token request context>) - Observe the ManagedIdentity exception
Environment
Microsoft Devbox (https://devbox.microsoft.com/)
Thank you for your feedback. Tagging and routing to the team member best able to assist.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We're also running into this error running on our DevBox. We're using the Azure.Identity in combination with the Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder class. Using version Azure.Identity 1.12 there were no problems. Upgrading to 1.13 gives the following error:
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: The configBuilder 'AzureKeyVault' failed while processing the configuration section 'appSettings'.: 'AzureKeyVault' GetValue() Error: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity. Status: BadRequest Content: {"error":"invalid_request","error_description":"Identity not found"}
Headers: x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d Date: Thu, 17 Oct 2024 07:21:26 GMT Server: IMDS/150.870.65.1475
[Managed Identity] Error Code: invalid_request Error Description: Identity not found See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
And its complete StackTrace:
[MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d
Date: Thu, 17 Oct 2024 07:21:26 GMT
Server: IMDS/150.870.65.1475
[Managed Identity] Error Code: invalid_request Error Description: Identity not found ]
Microsoft.Identity.Client.ManagedIdentity.<HandleResponseAsync>d__9.MoveNext() +593
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.ManagedIdentity.<AuthenticateAsync>d__5.MoveNext() +1751
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.Internal.Requests.<SendTokenRequestForManagedIdentityAsync>d__5.MoveNext() +704
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.Internal.Requests.<GetAccessTokenAsync>d__4.MoveNext() +1709
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.Internal.Requests.<ExecuteAsync>d__3.MoveNext() +2161
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.Internal.Requests.<<RunAsync>b__1>d.MoveNext() +358
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.Utils.<MeasureCodeBlockAsync>d__4.MoveNext() +400
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.Internal.Requests.<RunAsync>d__11.MoveNext() +1085
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Microsoft.Identity.Client.ApiConfig.Executors.<ExecuteAsync>d__2.MoveNext() +725
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.<AcquireTokenForManagedIdentityAsyncCore>d__26.MoveNext() +1012
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.<AcquireTokenForManagedIdentityAsync>d__24.MoveNext() +678
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.<AuthenticateAsync>d__18.MoveNext() +1861
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.<AuthenticateCoreAsync>d__17.MoveNext() +944
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.<AuthenticateAsync>d__16.MoveNext() +1676
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.<GetTokenImplAsync>d__18.MoveNext() +1079
[AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d
Date: Thu, 17 Oct 2024 07:21:26 GMT
Server: IMDS/150.870.65.1475
[Managed Identity] Error Code: invalid_request Error Description: Identity not found
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot]
Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) +83
Azure.Identity.<GetTokenImplAsync>d__18.MoveNext() +2121
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) +259
Azure.Identity.<GetTokenFromSourcesAsync>d__14.MoveNext() +1450
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.<GetTokenImplAsync>d__12.MoveNext() +3236
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) +72
Azure.Identity.<GetTokenImplAsync>d__12.MoveNext() +4169
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Identity.DefaultAzureCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) +259
Azure.Core.Pipeline.<SetResultOnTcsFromCredentialAsync>d__9.MoveNext() +1201
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
Azure.Core.Pipeline.<GetAuthHeaderValueAsync>d__6.MoveNext() +2569
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Core.Pipeline.<GetCurrentHeaderValue>d__19.MoveNext() +905
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
Azure.Core.Pipeline.<GetAuthHeaderValueAsync>d__6.MoveNext() +3674
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequest(HttpMessage message, TokenRequestContext context) +206
Azure.Security.KeyVault.<AuthorizeRequestOnChallengeAsyncInternal>d__11.MoveNext() +2167
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallenge(HttpMessage message) +155
Azure.Security.KeyVault.<ProcessAsyncInternal>d__14.MoveNext() +2274
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +169
Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
Azure.Core.Pipeline.<ProcessAsync>d__7.MoveNext() +603
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Core.Pipeline.RedirectPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +169
Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
Azure.Core.Pipeline.<ProcessAsync>d__5.MoveNext() +1364
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
Azure.Core.Pipeline.<ProcessAsync>d__5.MoveNext() +4246
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
Azure.Core.Pipeline.RetryPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +169
Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +43
Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +43
Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +43
Azure.Core.Pipeline.HttpPipeline.Send(HttpMessage message, CancellationToken cancellationToken) +668
Azure.Core.Pipeline.HttpPipeline.SendRequest(Request request, CancellationToken cancellationToken) +64
Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken) +17
Azure.Security.KeyVault.KeyVaultPipeline.GetPage(Uri firstPageUri, String nextLink, Func`1 itemFactory, String operationName, CancellationToken cancellationToken) +528
Azure.Security.KeyVault.Secrets.<>c__DisplayClass15_0.<GetPropertiesOfSecrets>b__0(String nextLink) +206
Azure.Core.<AsPages>d__2.MoveNext() +63
Azure.<GetEnumerator>d__8.MoveNext() +213
Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder.GetAllKeys() +160
System.Lazy`1.CreateValue() +732
System.Lazy`1.LazyInitValue() +189
Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder.GetValue(String key) +147
Microsoft.Configuration.ConfigurationBuilders.KeyValueConfigBuilder.GetValueInternal(String key) +287
[KeyValueConfigBuilderException: 'AzureKeyVault' GetValue() Error: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d
Date: Thu, 17 Oct 2024 07:21:26 GMT
Server: IMDS/150.870.65.1475
[Managed Identity] Error Code: invalid_request Error Description: Identity not found
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot]
Microsoft.Configuration.ConfigurationBuilders.KeyValueConfigBuilder.GetValueInternal(String key) +510
Microsoft.Configuration.ConfigurationBuilders.KeyValueConfigBuilder.ProcessConfigurationSection(ConfigurationSection configSection) +383
System.Configuration.ConfigurationBuilderChain.ProcessConfigurationSection(ConfigurationSection configSection) +134
Hi @keggster101020 I am unable to reproduce this. Could you try creating the credential the following way to see if you still do not get prompted for interactive credentials?
Also, could you enable logging and share that with me for the failure scenario? For console output, you would just need to add the following line to your program.
using AzureEventSourceListener listener = AzureEventSourceListener.CreateTraceLogger();
If you need to log the output somewhere other than the console, this is described in these docs.
var options = new DefaultAzureCredentialOptions
{
ExcludeEnvironmentCredential = true,
ExcludeWorkloadIdentityCredential = false,
ExcludeManagedIdentityCredential = false,
ExcludeAzureDeveloperCliCredential = true,
ExcludeSharedTokenCacheCredential = true,
ExcludeVisualStudioCredential = true,
ExcludeVisualStudioCodeCredential = true,
ExcludeAzureCliCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeInteractiveBrowserCredential = false
};
var cred = new DefaultAzureCredential(options);
Same issue is happening from Azure DevOps pipelines while connecting to an Azure SQL Database within an AzureCli@2 task.
Pipeline is executing EF Core SQL migrations executable against Azure SQL connecting as the pipeline identity (federated ARM service connection). Upgrading to 1.13.0 breaks with a very similar error. {"error":"invalid_request","error_description":"Identity not found"}
Downgrading back to 1.12 resolves the issue.
Not sure which token source is being picked up in 1.12 but sounds like it should use WorkloadIdentityCredential before ManagedIdentityCredential?
2024-10-17T14:01:54.5569573Z Status: BadRequest
2024-10-17T14:01:54.5569889Z Content:
2024-10-17T14:01:54.5570233Z {"error":"invalid_request","error_description":"Identity not found"}
2024-10-17T14:01:54.5570484Z
2024-10-17T14:01:54.5570793Z Headers:
2024-10-17T14:01:54.5571125Z Server: IMDS/150.870.65.1475
2024-10-17T14:01:54.5572761Z x-ms-request-id: 0778ae6f-ee8f-480c-bf61-f6b9baace128
2024-10-17T14:01:54.5573303Z Date: Thu, 17 Oct 2024 14:01:52 GMT
2024-10-17T14:01:54.5573518Z
2024-10-17T14:01:54.5573849Z [Managed Identity] Error Code: invalid_request Error Description: Identity not found
2024-10-17T14:01:54.5574524Z at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
2024-10-17T14:01:54.5575130Z at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
2024-10-17T14:01:54.5575688Z at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
2024-10-17T14:01:54.5576253Z at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
2024-10-17T14:01:54.5576752Z at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
2024-10-17T14:01:54.5577398Z at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
2024-10-17T14:01:54.5578181Z --- End of stack trace from previous location ---
2024-10-17T14:01:54.5578616Z at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
2024-10-17T14:01:54.5579228Z at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
2024-10-17T14:01:54.5579838Z at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
2024-10-17T14:01:54.5583764Z at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5585033Z at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5585841Z at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
2024-10-17T14:01:54.5587148Z at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
2024-10-17T14:01:54.5587757Z at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
2024-10-17T14:01:54.5588623Z at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5589250Z StatusCode: 0
2024-10-17T14:01:54.5589606Z ResponseBody:
2024-10-17T14:01:54.5589931Z Headers:
2024-10-17T14:01:54.5590858Z --- End of inner exception stack trace ---
2024-10-17T14:01:54.5591497Z at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
2024-10-17T14:01:54.5592044Z at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5592606Z at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5593429Z at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
2024-10-17T14:01:54.5595453Z at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5596006Z at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
2024-10-17T14:01:54.5601350Z at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5603146Z at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5604000Z at Microsoft.Data.SqlClient.ActiveDirectoryAuthenticationProvider.GetTokenAsync(TokenCredentialKey tokenCredentialKey, String secret, TokenRequestContext tokenRequestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5604610Z at Microsoft.Data.SqlClient.ActiveDirectoryAuthenticationProvider.AcquireTokenAsync(SqlAuthenticationParameters parameters)
2024-10-17T14:01:54.5605321Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.<>c__DisplayClass148_1.<<GetFedAuthToken>b__1>d.MoveNext()
2024-10-17T14:01:54.5606264Z --- End of stack trace from previous location ---
2024-10-17T14:01:54.5606886Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
2024-10-17T14:01:54.5607569Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
2024-10-17T14:01:54.5608044Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.OnFedAuthInfo(SqlFedAuthInfo fedAuthInfo)
2024-10-17T14:01:54.5609251Z at Microsoft.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
2024-10-17T14:01:54.5610134Z at Microsoft.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
2024-10-17T14:01:54.5611372Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
2024-10-17T14:01:54.5612107Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, TimeoutTimer timeout, Boolean withFailover)
2024-10-17T14:01:54.5613420Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout)
2024-10-17T14:01:54.5614565Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
2024-10-17T14:01:54.5615832Z at Microsoft.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, Boolean applyTransientFaultHandling, String accessToken, DbConnectionPool pool, Func`3 accessTokenCallback)
2024-10-17T14:01:54.5617153Z at Microsoft.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5617819Z at Microsoft.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5618544Z at Microsoft.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
2024-10-17T14:01:54.5619089Z at Microsoft.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
2024-10-17T14:01:54.5619904Z at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
2024-10-17T14:01:54.5620581Z at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
2024-10-17T14:01:54.5621265Z at Microsoft.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
2024-10-17T14:01:54.5621967Z at Microsoft.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5622649Z at Microsoft.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5623221Z at Microsoft.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry, SqlConnectionOverrides overrides)
2024-10-17T14:01:54.5623663Z at Microsoft.Data.SqlClient.SqlConnection.Open(SqlConnectionOverrides overrides)
2024-10-17T14:01:54.5624077Z at Microsoft.Data.SqlClient.SqlConnection.Open()
@christothes I can look to grab a more official repro when I get some time (I tore down the devbox as part of the testing). However, part of my scenario was also access key vault using configuration builder extensions and the error @rdvanbuuren-gasunie posted above should be reflective of the error that I saw as well.
Also, I did test the DefaultAzureCredential scenario disabling all providers except VS and interactive and I can confirm that that did resolve my issue. However, I still see this as a regression since prior to 1.13.0 the logic was as I described above: failures wouldn't break the entire chain they would only be thrown back if nothing in the chain resolved.
@keggster101020 I totally agree that a change of behavior would be a regression, I was only asking about the alternative config for troubleshooting purposes since I cannot reproduce this locally. When I fetch a token using new DefaultAzureCredential(true) it makes it past the ManagedIdentityCredential and selects the VisualStudioCredential. I presume it would continue on past that to the interactive credential if I wasn't running it from VS.
Hi @keggster101020. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
@keggster101020 or @rdvanbuuren-gasunie - could you share the relevant parts of your configuration for the credential that reproduces the error in that scenario?
@keggster101020 or @rdvanbuuren-gasunie - could you share the relevant parts of your configuration for the credential that reproduces the error in that scenario?
Yes, of course!
We're runnig a .NET 4.8 website using IISExpress on a DevBox, with the following configuration in the Web.config:
<configuration>
<configSections>
<section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
<builders>
<add name="AzureKeyVault" vaultName="${KEY_VAULT_NAME}" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</builders>
</configBuilders>
<appSettings configBuilders="AzureKeyVault">
<!-- From KeyVault -->
<add key="ClientSecret" value="" />
</appSettings>
</configuration>
This should load the ClientSecret from the KeyVault secrets into the appSetting. If you need anymore information, I'm happy to help!
@christothes for the Azure DevOps Workload/Federated Identity issue (see my comment above), shall I open a new issue or keep it in this thread?
@christothes for the Azure DevOps Workload/Federated Identity issue (see my comment above), shall I open a new issue or keep it in this thread?
I believe that issue is fixed by #46711
seeing the same issue with 13 in devbox
Hi @aherrick - Could you clarify which issue specifically?
We are seeing a similar issue currently within an Azure DevOps pipeline.
As part of the pipeline an integration test is running which connects to AzureAppConfiguration service.
To make sure we are authenticated to read the AzureAppConfiguration resource, we perform an az login ... first, using a service principal dedicated for these integration tests.
Within the TestFixture, the connection to AzureAppConfiguration is authenticated using new DefaultAzureCredential()
With Azure.Identity.1.12.0 this process is running fine.
After updating to 1.13.0 it is failing at
Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
with
Azure.Identity.AuthenticationFailedException : ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable.
The issue is, we are not using ManagedIdentity Authentication anywhere in the devops pipeline, but instead rely on Azure CLI Credentials.
I assume that these mentioned breaking changes are somewhat related, but I really cannot find any EnvironmentVariable or other parameter in the pipeline that would match any of these...
1.13.0 (2024-10-14) Breaking Changes Previously, if a clientID or ResourceID was specified for Cloud Shell managed identity, which is not supported, the clientID or resourceID would be silently ignored. Now, an exception will be thrown if a clientID or resourceID is specified for Cloud Shell managed identity. Previously, if a clientID or ResourceID was specified for Service Fabric managed identity, which is not supported, the clientID or resourceID would be silently ignored. Now, an exception will be thrown if a clientID or resourceID is specified for Service Fabric managed identity.
An alternative explanation would be that, some other errors in the authentication flow of ManagedIdentityCredential that were silently caught in the previous version, eventually leading to the factory to traverse further through the configured identity providers, now actually make the process fail early, and not providing the factory with the chance to continue...
From my local dev-machine everything is running as expected, so there must be something on the MS Hosted agent in devops, that now make the library think it should use ManagedIdentity...
Ok, looks like, this is also being solved by #46711
as the case I described above also leads to {"error":"invalid_request","error_description":"Identity not found"}
Still I would be curious to understand what is making the lib in 1.13.0 assume that it has to try ManagedIdentity in the first place 🤔
I can confirm this issue.
Create a simple console application
IdentityTest.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net8.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.12.1" />
</ItemGroup>
</Project>
Program.cs
Console.WriteLine((await new Azure.Identity.DefaultAzureCredential(false).GetTokenAsync(new Azure.Core.TokenRequestContext(["<Valid scope for your tenant>"], null))).Token);
Run in a pipeline using AzureCLI@2 task;
Pipeline:
pool:
name: Azure Pipelines
vmImage: "ubuntu-latest"
trigger: none
steps:
- task: AzureCLI@2
displayName: Get credentials for pipeline agent principal
inputs:
azureSubscription: <Name of Azure Resource Manager Service Connection>
scriptType: pscore
scriptLocation: inlineScript
addSpnToEnvironment: true
inlineScript: dotnet run --project IdentityTest.csproj
The pipeline will succeed when using Azure Identity 1.12.1
When using Azure Identity 1.13.0 will produce this error:
Unhandled exception. Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: 85ec817c-d0b7-42f6-892d-c13b6c136982
Date: Wed, 23 Oct 2024 13:20:55 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
---> MSAL.NetCore.4.65.0.0.MsalServiceException:
ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: 85ec817c-d0b7-42f6-892d-c13b6c136982
Date: Wed, 23 Oct 2024 13:20:55 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found
at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
StatusCode: 0
ResponseBody:
Headers:
--- End of inner exception stack trace ---
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Program.<Main>$(String[] args) in /home/vsts/work/1/s/Program.cs:line 1
at Program.<Main>(String[] args)
@phelm1-landolakes Would you mind verifying with your repro also using this latest build? 1.14.0-alpha.20241023.3
@christothes Using package version 1.14.0-alpha.20241023.3 succeeds.
Can someone please confirm if this problem is resolved in version 1.13.1? I have recently gotten this error and my Azure.Identity is updated to version 1.13.1. I tried the latest version as well Install-Package Azure.Identity -version 1.14.0-alpha.20241023.3 but still getting the same error.
@MHDBST - If you are seeing the same error with 1.13.1, please open a new issue with the specific details of your issue. It may be a different problem.
