-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update ManagedAppServiceToken constructor to accept and correctly process resource Id #8983
Comments
cc @joeyaiello @daxian-dbw for awareness |
@eamonoreilly @TylerLeonhardt Do you have a debug trace of a failed request? There are some KeyVaule cmdlets that also require Graph access. |
Here is the debug information Mark.
|
@markcowl I added a debug trace. Hopefully this is enough information to isolate what might be happening. |
@eamonoreilly Why is this issue closed? |
@daxian-dbw Closed by mistake!. Thanks for the ping and I'm reopening. |
@eamonoreilly Thanks, that pinpoints exactly what the error is and where it occurs in the code. We will take a look. |
DescriptionManagedAppServiceToken does not accept resource (token audience) and so cannot be used to authenticate data plane calls.
Cost: 4 |
When will the issue be fixed? I hit it when develop my azure function |
@markcowl , @cormacpayne I got the same error when invoking Get-AzKeyVaultCertificate. Can I assume it is caused by the same issue? Before the issue got fixed, could you provide a workaround to get certificate outside cmdlet? |
Still an issue. We do need this fixed. |
The same issue exists in Set-AzKeyVaultSecret |
Can confirm this is still an issue. |
do you have an ETA on when this change will ship? |
The fix has been merged and will be available in the new version of |
Closing as fixed. |
Verified fix in Azure Automation runbooks. Thank you! |
Is this fix available in ps function app yet? I still get Unauthorized error on a ps azure function when running Get-AzKeyVaultSecret from a ps function. |
Make sure you have the latest modules in your requirements.psd1 If you go to Platform Features -> App service editor, you may need to update the Az modules to 2.* as they might be at 1.* still. I confirmed it worked with the latest 2.* module (https://www.powershellgallery.com/packages/Az/2.3.2) @{ |
Thanks @eamonoreilly , after update the requirement, it works for me now |
Description
Managed identity within function application is not getting token automatically for vault.azure.net when using *-AzKeyVaultSecret cmdlets. If you set / retrieve a secret from key vault, it will return an unauthorized message.
Steps to reproduce
Enable managed identity on a function application.
Grant access to a secret for this managed identify
Run the following from a PowerShell function
It will return unauthorized.
If you perform the request manually outside of the cmdlets, it works correctly.
You can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-services-that-support-azure-ad-authentication for list of Resource Id that should work with managed identity in function app.
The text was updated successfully, but these errors were encountered: