Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available #39548

Open
SwatiBaffle opened this issue Apr 4, 2024 · 8 comments
Open

Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available #39548

SwatiBaffle opened this issue Apr 4, 2024 · 8 comments
Assignees
@g2vinay
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
2025-03

Comments

@SwatiBaffle
Copy link

SwatiBaffle commented Apr 4, 2024
edited
Loading

a) Set up postgres database with managed identity
b) add this managedIdentity in database
psql "host= dbname=postgres user= password=$PGPASSWORD" -c "select * from pgaadauth_create_principal_with_oid(,, 'service', false, false);"

b) Create app which will create JDBC connectivity using postgres db(enabled workload identity)
c) Deploy this app using K8 env and verify the flow with JDBC connection
k8 already using azure.workload.identity/use: "true"
as well as for Service account - azure.workload.identity/client-id:

There are two issue which is faced during this setup

  1. token generation for password of database is using below code snippet
    TokenCredential managedIdentityCredential = (new ManagedIdentityCredentialBuilder()).clientId(clientId).build();
    String accessToken = ((AccessToken)managedIdentityCredential.getToken((new TokenRequestContext()).addScopes(new String[]{"https://ossrdbms-aad.database.windows.net/.default"})).block()).getToken();

which error out as below
ERROR ManagedIdentityCredential:553 - Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available.

  1. Second thing with SSL mode, jks file has info about SSL certificate used by postgres db
    error out as below
    org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints

Looking for reference doc and step here
create postgres database with workload identity
create JDBC app to connect with postgres database
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 4, 2024

@billwert @g2vinay

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 4, 2024

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@mschmidt291
Copy link

mschmidt291 commented Apr 5, 2024
edited
Loading

We also have the same problem. It seems like the azure-identity-extensions for Java used for authenticating is not supporting Workload Identity. I also opened a issue yesterday

The auth flow for azure-identity usually looks like: Environment -> Workload Identity -> managed Identity -> ... rest of methods. For the azure-identity-extensions the Workload Identity step is completely missing from the flow, thus it is still required to use Managed Identity which is deprecated

fyi: #39540

@billwert
Copy link
Contributor

billwert commented Apr 5, 2024

Hello @SwatiBaffle

We'll take a look at this and get back to you soon.

@SwatiBaffle
Copy link
Author

Any Update here

@yashpalslathia21
Copy link

Any update on this issue? I am also facing same issue..I am using using azure-identity library with version 1.12.0.
I have followed all the steps to enabled workload-identity as mentioned in https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster.
Following is the snippet of code I am using -

DefaultAzureCredential managedIdentityCredentialUserAssigned = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("bd947a20-baf1-4009-ab9a-c8aa361527a6").build();

        AccessToken accessToken = managedIdentityCredentialUserAssigned
                .getToken(new TokenRequestContext().setTenantId(tenantId)).block();
        String token = accessToken.getToken();
        logger.info("token : {}", token);

Here bd947a20-baf1-4009-ab9a-c8aa361527a6 is clientId corresponding to the managed Identity.
managedIdentityCredentialUserAssigned.getToken() is throwing following error -

[DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.

Is this a defect in Azure SDK for java as discussed above?

@g2vinay
Copy link
Member

g2vinay commented Jul 29, 2024

Use the WorkloadIdentityCredential to target WorkloadIdentity directly.

TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();

If the issue persists,
checn and respond with the env vars available in the cluster to verify workload identity is available.

@g2vinay g2vinay added this to the 2024-09 milestone Jul 29, 2024
@g2vinay g2vinay moved this from Untriaged to In Progress in Azure Identity SDK Improvements Jul 29, 2024
@SwatiBaffle
Copy link
Author

Use the WorkloadIdentityCredential to target WorkloadIdentity directly.

TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();

If the issue persists, checn and respond with the env vars available in the cluster to verify workload identity is available.

Please share some snippet of code which show how jdbc client with workload identity works with workload identity.
How Token request get generated further this line
TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();

That's will be helpful

@g2vinay g2vinay modified the milestones: 2024-09, 2024-10 Sep 16, 2024
@joshfree joshfree modified the milestones: 2024-10, 2024-11 Sep 23, 2024
@g2vinay g2vinay modified the milestones: 2024-11, 2025-02 Jan 6, 2025
@g2vinay g2vinay modified the milestones: 2025-02, 2025-03 Jan 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@g2vinay g2vinay

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Status: In Progress
Milestone
2025-03
Development

No branches or pull requests
6 participants
@joshfree @billwert @g2vinay @mschmidt291 @SwatiBaffle @yashpalslathia21