ManagedIdentityCredential authentication failed #29717
Description
Describe the bug
After updating to version 1.18.5, Vault cannot log in to Azure anymore.
To Reproduce
Azure steps:
- Provision Azure Key Vault
- Configure Federated Identity Credential
- Assign Key Vault permissions to identity
Kubernetes steps:
- Install Vault on Azure Kubernetes Services
- Add pod label
azure.workload.identity/use: "true" - Configure raft with
seal "azurekeyvault" {} - Start Vault server
Error message
error parsing Seal configuration: error fetching Azure Key Vault wrapper key information: ManagedIdentityCredential authentication failed. the requested identity isn't assigned to this resource
GET http://169.254.169.254/metadata/identity/oauth2/token
RESPONSE 400: 400 Bad Request
Expected behavior
Vault uses Azure Workload Identity to authenticate to Azure.
Environment:
- Vault Server Version (retrieve with
vault status): 1.18.5 - Vault CLI Version (retrieve with
vault version): 1.18.5 - Server Operating System/Architecture: Linux/x86_64
Vault server configuration file(s):
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-tls/tls.crt"
tls_key_file = "/vault/userconfig/vault-tls/tls.key"
tls_client_ca_file = "/vault/userconfig/vault-tls/ca.crt"
}
seal "azurekeyvault" {
}
storage "raft" {
performance_multiplier = 1
path = "/vault/data"
retry_join {
auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault,component=server\" namespace=\"vault\" "
auto_join_scheme = "https"
leader_tls_servername = "vault"
leader_ca_cert_file = "/vault/userconfig/vault-tls/ca.crt"
leader_client_cert_file = "/vault/userconfig/vault-tls/tls.crt"
leader_client_key_file = "/vault/userconfig/vault-tls/tls.key"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
plugin_directory = "/usr/local/libexec/vault/"
disable_mlock = trueAdditional context
Version 1.18.4 works fine with the same configuration