Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication fails for User Assigned Managed Identity #6

Closed
shivatk opened this issue May 25, 2023 · 8 comments · Fixed by #7
Closed

Authentication fails for User Assigned Managed Identity #6

shivatk opened this issue May 25, 2023 · 8 comments · Fixed by #7

Comments

@shivatk
Copy link

shivatk commented May 25, 2023

Calling AzureCacheForRedis.ConfigureForAzureWithUserAssignedManagedIdentityAsync method fails with "Identity not found" error.

I've tested this code in an Azure managed VM and in an AKS container, and in both cases, the ConfigureForAzureWithUserAssignedManagedIdentityAsync fails with the following error -->

MSAL.NetCore.4.53.0.0.MsalServiceException: 
ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. The requested identity has not been assigned to this resource.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Inside the method call stack, the ImdsManagedIdentitySource.CreateRequest method makes a request to the Azure Instance Metadata Service (IMDS) endpoint -->

GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=acca5fbb-b7e4-4009-81f1-37e38fd66d78&mi_res_id={User_Client_ID}HTTP/1.1
Host: 169.254.169.254
Metadata: true
Accept: application/json

Making this same request manually from the VM/Container also fails with "Identity not found". I believe this is because the wrong query parameter is being used in the request. The mi_res_id query param is for the Resource ID and not Client ID. (reference here)

If I change the mi_res_id query param to client_id, the request succeeds, and I get a valid token. Alternatively, if I pass ResourceID of the User Identity instead of the ClientID to the ConfigureForAzureWithUserAssignedManagedIdentityAsync method, connection succeeds.

Looking at ImdsManagedIdentitySource.CreateRequest, ServiceBundle.Config.ManagedIdentityId.IdType is read to determine which query param to use. I'm unsure why ManagedIdentityIdType.ResourceId is being picked up instead of ManagedIdentityIdType.ClientId.

Package Microsoft.Azure.StackExchangeRedis Version 1.1.0

Steps to reproduce:

  1. Create a VM or AKS cluster in Azure.
  2. Create a User Assigned Managed Identity and assign it to the VM/AKS cluster.
  3. Run sample app from this repo and call ConfigureForAzureWithUserAssignedManagedIdentityAsync method with valid Principal ID and Client ID.
@samsaha-ms
Copy link

Thanks for reporting this. Could you please share what value you are using as clientId? A valid client-id would be in GUID format.
ClientId of your user managed Identity can be verified from "Client ID" field in "Overview" blade of the corresponding user managed identity resource in Azure portal as shown here https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#list-user-assigned-managed-identities.

@shivatk
Copy link
Author

shivatk commented May 25, 2023

Sure, I was using 3839c228-0087-44dd-bc58-1e8f385fd211. This was the output when I was verifying Identity details for the aks pod via az cli

"userAssignedIdentities": {
    "/subscriptions/3bf93c69-832d-4bf2-a6da-0f195c3a0a53/resourcegroups/Redis_aad_testdriver/providers/Microsoft.ManagedIdentity/userAssignedIdentities/RedisSecondDriver": {
      "clientId": "3839c228-0087-44dd-bc58-1e8f385fd211",
      "principalId": "c669f7eb-c11f-4356-be3d-5be452079505"
    }

@samsaha-ms
Copy link

That is strange. Generally, a valid GUID format should use client_id as query param. It would be good idea to debug when you are calling ConfigureForAzureWithUserAssignedManagedIdentityAsync() is there any extra characters are added or not to the input.
Additionally, we are working on updating our extension with an improved version of dependency packages, which should help resolve this query param selection in a better way as part of this PR.

@shivatk
Copy link
Author

shivatk commented May 25, 2023

Thank you @samsaha-ms

@amitpatel158
Copy link

Hi @samsaha-ms,
We also encountered the same issue & got exactly the same error.

Environment Details:
(1) AKS with Workload Identity.
(2) Microsoft.Azure.StackExchangeRedis: 1.1.0
Any plan to get it fixed in the upcoming release?

@samsaha-ms
Copy link

@philon-msft, any plan to create new release with this fix #7?

@philon-msft
Copy link
Contributor

Yes, we're working on a new release now. No ETA yet, but it should come out in the next few weeks.

@philon-msft philon-msft mentioned this issue Nov 8, 2023
Merged
@philon-msft
Copy link
Contributor

philon-msft commented Nov 8, 2023
edited

v2.0.0 has been released including the updated Microsoft.Identity.Client package. Please give it a try and let us know if you still see any issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade Microsoft.Identity.Client package reference Azure/Microsoft.Azure.StackExchangeRedis
4 participants
@philon-msft @amitpatel158 @shivatk @samsaha-ms