Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available

[SwatiBaffle]

a) Set up postgres database with managed identity
b) add this managedIdentity in database
psql "host= dbname=postgres user= password=$PGPASSWORD" -c "select * from pgaadauth_create_principal_with_oid(,, 'service', false, false);"

b) Create app which will create JDBC connectivity using postgres db(enabled workload identity)
c) Deploy this app using K8 env and verify the flow with JDBC connection
k8 already using azure.workload.identity/use: "true"
as well as for Service account - azure.workload.identity/client-id:

There are two issue which is faced during this setup

1. token generation for password of database is using below code snippet
   TokenCredential managedIdentityCredential = (new ManagedIdentityCredentialBuilder()).clientId(clientId).build();
   String accessToken = ((AccessToken)managedIdentityCredential.getToken((new TokenRequestContext()).addScopes(new String[]{"https://ossrdbms-aad.database.windows.net/.default"})).block()).getToken();

which error out as below
ERROR ManagedIdentityCredential:553 - Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available.

2. Second thing with SSL mode, jks file has info about SSL certificate used by postgres db
   error out as below
   org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints

Looking for reference doc and step here
create postgres database with workload identity
create JDBC app to connect with postgres database

[github-actions]

@billwert @g2vinay

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[mschmidt291]

We also have the same problem. It seems like the azure-identity-extensions for Java used for authenticating is not supporting Workload Identity. I also opened a issue yesterday

The auth flow for azure-identity usually looks like: Environment -> Workload Identity -> managed Identity -> ... rest of methods. For the azure-identity-extensions the Workload Identity step is completely missing from the flow, thus it is still required to use Managed Identity which is deprecated

fyi: #39540

[billwert]

Hello @SwatiBaffle

We'll take a look at this and get back to you soon.

[SwatiBaffle]

Any Update here

[yashpalslathia21]

Any update on this issue? I am also facing same issue..I am using using azure-identity library with version 1.12.0.
I have followed all the steps to enabled workload-identity as mentioned in https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster.
Following is the snippet of code I am using -

DefaultAzureCredential managedIdentityCredentialUserAssigned = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("bd947a20-baf1-4009-ab9a-c8aa361527a6").build();

        AccessToken accessToken = managedIdentityCredentialUserAssigned
                .getToken(new TokenRequestContext().setTenantId(tenantId)).block();
        String token = accessToken.getToken();
        logger.info("token : {}", token);

Here bd947a20-baf1-4009-ab9a-c8aa361527a6 is clientId corresponding to the managed Identity.
managedIdentityCredentialUserAssigned.getToken() is throwing following error -

[DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.

Is this a defect in Azure SDK for java as discussed above?