Search code examples
c#azureazure-appservice

App service cannot access Managed Identity in C# .net 7 app

I am trying to get the managed identity (user assigned) with the

            var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions()
            {
                ManagedIdentityClientId = "my-managed-id-client-id"
            });

which gives me the error in app insights:

Code: generalException
Message: An error occurred sending the request.
 ManagedIdentityCredential authentication failed: Service request failed.
Status: 500 (Internal Server Error)

Content:


Headers:
Date: Wed, 14 Jun 2023 12:29:17 GMT
Server: Kestrel
Transfer-Encoding: chunked
X-CORRELATION-ID: REDACTED
Content-Type: application/json; charset=utf-8

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot Service request failed.
Status: 500 (Internal Server Error)

Content:


Headers:
Date: Wed, 14 Jun 2023 12:29:17 GMT
Server: Kestrel
Transfer-Encoding: chunked
X-CORRELATION-ID: REDACTED
Content-Type: application/json; charset=utf-8

When following the troubleshooting instruction given here https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/TROUBLESHOOTING.md#azure-app-service-and-azure-functions-managed-identity

I only receive:

curl: (7) Failed to connect to 169.254.169.254 port 80 after 1 ms: Bad access
'api-version' is not recognized as an internal or external command,
operable program or batch file.

The two environment variables MSI_ENDPOINT and MSI_SECRET seem to be set.

So I have no more idea what to check. Anybody experienced the same?

Solution

  • I managed to get it up and running, not a 100% sure what the initial error was, but here some insights I gained:

    The curl statement posted here by Microsoft is wrong: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/TROUBLESHOOTING.md#azure-app-service-and-azure-functions-managed-identity

    In App Services, the IP 127.0.0.1 is used with an individualized port. To identify it, open the Advanced Tools on the App Service and select Environment there.

    You should be able to identify the four variables: MSI_ENDPOINT MSI_SECRET IDENTITY_ENDPOINT IDENTITY_HEADER

    The two Endpoint Variables indicate the address and port used.

    Next thing I realized (with the help of application insights) are the error codes I received on the DefaultAzureCredential() Method:

    • Error code 500: means you passed in a wrong endpoint. In my case I initially had
    new GraphServiceClient(credential, scopes: new string[] { "https://graph.microsoft.com/Mail.send" });

    This however, caused the error, while

    new GraphServiceClient(credential, scopes: new string[] { "https://graph.microsoft.com/.default" });

    works just fine.

    • Error code 400: This means the id passed if using a user assigned managed identity is wrong.
    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions()
{
    ManagedIdentityClientId = "my-managed-id-client-id"
});

    As at some point, I had no more ideas where to look for the initial error, I started trying differen parameters. So I ended up using the ObjectId instead of the ClientId here - which (luckily) did not work. Still noting it here, as it may be helpful for somebody mixing it up in the future.