-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication fails for User Assigned Managed Identity #6
Comments
Thanks for reporting this. Could you please share what value you are using as clientId? A valid client-id would be in GUID format. |
Sure, I was using
|
That is strange. Generally, a valid GUID format should use client_id as query param. It would be good idea to debug when you are calling ConfigureForAzureWithUserAssignedManagedIdentityAsync() is there any extra characters are added or not to the input. |
Thank you @samsaha-ms |
Hi @samsaha-ms, Environment Details: |
@philon-msft, any plan to create new release with this fix #7? |
Yes, we're working on a new release now. No ETA yet, but it should come out in the next few weeks. |
v2.0.0 has been released including the updated Microsoft.Identity.Client package. Please give it a try and let us know if you still see any issues. |
Calling AzureCacheForRedis.ConfigureForAzureWithUserAssignedManagedIdentityAsync method fails with "Identity not found" error.
I've tested this code in an Azure managed VM and in an AKS container, and in both cases, the ConfigureForAzureWithUserAssignedManagedIdentityAsync fails with the following error -->
Inside the method call stack, the ImdsManagedIdentitySource.CreateRequest method makes a request to the Azure Instance Metadata Service (IMDS) endpoint -->
Making this same request manually from the VM/Container also fails with "Identity not found". I believe this is because the wrong query parameter is being used in the request. The mi_res_id query param is for the Resource ID and not Client ID. (reference here)
If I change the mi_res_id query param to client_id, the request succeeds, and I get a valid token. Alternatively, if I pass ResourceID of the User Identity instead of the ClientID to the ConfigureForAzureWithUserAssignedManagedIdentityAsync method, connection succeeds.
Looking at ImdsManagedIdentitySource.CreateRequest, ServiceBundle.Config.ManagedIdentityId.IdType is read to determine which query param to use. I'm unsure why ManagedIdentityIdType.ResourceId is being picked up instead of ManagedIdentityIdType.ClientId.
Package Microsoft.Azure.StackExchangeRedis Version 1.1.0
Steps to reproduce:
The text was updated successfully, but these errors were encountered: