-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[QUERY] DefaultIdentityNotDefined error response from attempt to get User-assigned MSI token from a scope #45547
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
Hi @AdamL-Microsoft - |
Hi @AdamL-Microsoft. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
Hi @christothes, I believe the MSI should be assigned since we're able to use the MSI with az CLI commands inside the instance, on review this is actually running on an Azure container instance we don't have direct ownership of. This error above is from an EV2 agent log output during a rollout. We're thinking this might be a limitation of EV2 if this process is supported in vanilla Windows-based Azure Containers. Our first tests running the app on a VM with the MSI added to it were able to get a token without issue. |
@christothes We're also experiencing the same issue with ACI Container has UAMI assigned, and we're able to CURL the %IDENTITY_ENDPOINT% (not 169.254.169.254) from the CMD However, Azure.Identity SDK is struggling to figure out the correct flow |
Hi @AdamL-Microsoft - If that works, please capture some logging and we can see what is different about the two requests - details here |
Hi @AdamL-Microsoft. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
Hi @AdamL-Microsoft, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
I have the exact same error when attempting to access an Azure Key Vault from a C# application within a Windows-based Azure Container Instance. Both user- and system-assigned managed identities throw this error back, and there is nothing helpful in the documentation about this. Happy to provide more information because I am struggling to do authentication the Right Way and from what I can tell managed identities in windows-based containers simply don't work. |
@melliott-whitebox - If you could provide the info described in this previous comment, we could troubleshoot further. |
May be related to #43076 |
I've created a test application that does the following:
This code has been deployed into ACR, and from there into ACI with an assigned identity. The identity is clearly assigned, based on the results of
When the container instance runs, I get the following log. Same message, default identity cannot be found.
|
@christothes is this helpful at all? |
Hi @melliott-whitebox Looking at your log output, it appears that it's attempting to reach an AKS pod identity (based on the url Is the code running from the ACI? Can you validate that you can receive a token via the bash steps mentioned here? |
@christothes it's definitely running within ACI. I'm not sure I can run a bash shell within the container, since it is a windows container. is this possible? |
Yes - it appears to be via the commands in the article - https://learn.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity#use-user-assigned-identity-to-get-secret-from-key-vault |
Library name and version
Azure.Identity 1.12.0
Query/Question
Having an issue with the Azure.Identity library while using the GetToken() method in a pretty basic program that is essentially:
The MSI is in the same tenant as the API its trying to auth against and has a role granted to it to access the Azure API scope specified. The app is also running on a VM that has permission to use the user-assigned MSI.
However the program fails and gets a 404 Not found when tried with a DefaultIdentityNotDefined error. The referenced troubleshooting link has no signs of this error or anything related as far as I can tell.
Any idea whats wrong or that I've missed setting here?
The full output error/stacktrace is:
Environment
Running on a Windows Server LTSC 2022 VM, with .Net 4.8, .Net core 8.0.4 (runtime) installed, called from powershell core 7.4.2
compiled for
<TargetFramework>net8.0</TargetFramework>
(this is an EV2 agent in the Azure Production Management tenant)
The text was updated successfully, but these errors were encountered: