Azure.Identity issue with Container Apps

[stephaneey]

Please provide us with the following information:

This issue is a: (mark with an x)

• [ x] bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

Hello, not sure whether this is the right place to report this problem. Trying to leverage a user-assigned identity from the application code results in a failure (system-assigned identity works fine).

Steps to reproduct

1. Create a container app
2. Assign a user-assigned identity
3. Create a new revision with the below code:

    var azureServiceTokenProvider = new AzureServiceTokenProvider();    
    Console.WriteLine(await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/"));
    

The exact same code works fine with Azure Container Instances and with AKS (providing you also deploy the AzureIdentity & the AzureIdentityBinding). I'm using the latest version (1.6.2) of the Microsoft.Azure.Services.AppAuthentication NuGet package. This might be a SDK issue but not sure.

Expected behavior [What you expected to happen.]

A token should be returned
Actual behavior [What actually happened.]

Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

Ex. Did this issue occur in the CLI or the Portal?

[anthonychu]

@stephaneey Did you try to provide a connection string that specifies the user assigned identity? See https://docs.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication#connection-string-support

[stephaneey]

Hi Anthony,

Thanks for your answer. It works when adding the connectionstring. I still wonder why the other method (parameterless contructor) works well in both ACI and AKS but not in ACA.

Best Regards

[vturecek]

@stephaneey ACI and AKS will automatically select a user-assigned identity for you when you don't specify a client ID. Unfortunately, that can lead to unexpected results, like causing your application to break just by assigning another identity to it. In Container Apps, we require you to be explicit about which user-assigned identity you want to use, guaranteeing that your application will not spontaneously break in the future if you assign another identity to it.

[stephaneey]

Hi @vturecek,

Ok thanks for the clarification.

Best Regards

[cwe1ss]

just an fyi, since the title contains Azure.Identity (the newer .NET SDK that replaces Microsoft.Azure.Services.AppAuthentication):

If you want to use ACA with user-assigned identities and the Azure.Identity NuGet package, you have to set the environment variable AZURE_CLIENT_ID to the identity's clientId.

You can then use var azureCredential = new DefaultAzureCredential(); in your code.

Here's some references:

• DefaultAzureCredential authentication failed  Azure/azure-sdk-for-net#13564
• [BUG] DefaultAzureCredential doesn't determine default single User Assigned Managed Identity in Azure App Service Azure/azure-sdk-for-net#11400 (comment)

I implemented this in my ACA template here:

• https://github.com/cwe1ss/msa-template/blob/94c636180b45de53cd6916d8d44e8f49e9156979/infrastructure/service/app-public.bicep#L159-L165
• https://github.com/cwe1ss/msa-template/blob/94c636180b45de53cd6916d8d44e8f49e9156979/services/_public-razor/PublicRazor.Web/Program.cs#L12