Error retrieving MSI token from Function App

[piquet-h]

• @Azure/identity:
• 1.0.0.0-preview:
• Azure Functions - Windows:

Describe the bug
Error parsing the date/token returned from a Managed Identify installed on an Azure Function app running on a consumption plan.

To Reproduce

1. Create a Windows Function App, on a consumption plan
2. Create a managed identity
3. Create a Key Vault with a secret
4. Using nodejs

const credential = new DefaultAzureCredential(); client = new SecretsClient(vaultUri, credential); let secret = client.getSecret('secret');

Expected behavior
Should return the secret. It doesn't. It throws an error.

Additional context

2019-08-01T23:49:03.468 [Information] TypeError: Cannot read property '3' of null
2019-08-01T23:49:03.469 [Information] at expiresInParser (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:289:47)
2019-08-01T23:49:03.469 [Information] at IdentityClient.<anonymous> (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:142:41)
2019-08-01T23:49:03.469 [Information] at Generator.next (<anonymous>)
2019-08-01T23:49:03.469 [Information] at fulfilled (D:\home\site\wwwroot\node_modules\tslib\tslib.js:107:62)
2019-08-01T23:49:03.469 [Information] at process._tickCallback (internal/process/next_tick.js:68:7
2019-08-01T23:49:03.470 [Information] undefined

Looking at the code, it appears that the date parsing isn't working. Initially this was in the identityClient code, (where the error has originally manifested from) however appears to have now been refactored here (currently).
https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/src/credentials/managedIdentityCredential.ts

Specifically, these lines

 // Detect which type of environment we are running in
    if (process.env.MSI_ENDPOINT) {
      if (process.env.MSI_SECRET) {
        // Running in App Service
        authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId);
        expiresInParser = (requestBody: any) => {
          // Parse a date format like "06/20/2019 02:57:58 +00:00" and
          // convert it into a JavaScript-formatted date
          const m = requestBody.expires_on.match(/(\d\d)\/(\d\d)\/(\d\d\d\d) (\d\d):(\d\d):(\d\d) (\+|-)(\d\d):(\d\d)/)
          return Date.parse(`${m[3]}-${m[1]}-${m[2]}T${m[4]}:${m[5]}:${m[6]}${m[7]}${m[8]}:${m[9]}`)
        };

[ssyrell]

It seems like the issue is that the regex is not taking AM/PM into account. Looking at the Managed Identities Overview documentation, the date format is:

"09/14/2017 00:00:00 PM +00:00"

[saikrishnav]

Is there any workaround as of now for this?

[kayone]

We've switched to using https://azure.github.io/azure-sdk-for-js/identity/classes/environmentcredential.html for now until this gets fixed.

[saikrishnav]

@kayone - Unfortunately, this wouldn't work for me since I am working in an Azure Function. My Azure Function's identity has access to a keyvault which is why I wanted to use this. If I have to store one secret to access another, what's the point.

[kayone]

@saikrishnav we are using a function as wel. we use this as a fall back rather than a workaround. This way once it gets fixed we don't have to change all the code for getting secrets out, we just switch the auth provider and remove the environment variables.

[saikrishnav]

@kayone - I understand your point. Just trying to see if its possible to fix this directly.

[ssyrell]

@saikrishnav We've gotten around this by referencing keyvault secrets at deployment time. In my ARM template, I'm pulling secrets from keyvault and just setting them as environment variables. Doing this means we don't need this library at all. Documentation can be found here:

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

[sophiajt]

We recently landed a fix that should help with this case (#5144), which should allow more date formats to be accepted.

This fix will be part of the next release.

[daviwil]

Hey folks, has anyone had a chance to verify whether @jonathandturner's fix worked when using this credential in a Function App? Thanks!

[ahmedspiir]

@daviwil
I have the same problem here I use ManagedIdentityCredential.
In azure function TypeScript.

Result: Failure
Exception: TypeError: Cannot read property '3' of null
Stack: TypeError: Cannot read property '3' of null
    at expiresInParser (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:457:47)
    at IdentityClient.<anonymous> (D:\home\site\wwwroot\node_modules\@azure\identity\dist\index.js:151:45)
    at Generator.next (<anonymous>)
    at fulfilled (D:\home\site\wwwroot\node_modules\tslib\tslib.js:107:62)
    at process._tickCallback (internal/process/next_tick.js:68:7)

[daviwil]

@ahmedspiir Have you updated to version 1.0.0-preview.3? This issue should be resolved in that version.

[daviwil]

My apologies, this was fixed after 1.0.0-preview.3 and will be included in the upcoming release.

[daviwil]

Hi all, the fix for this issue is included in 1.0.0-preview.5, released last week. Please give it a try and let us know if you run into any further issues!

Closing this issue in the meantime, but I'll be happy to reopen it should anyone reproduce the issue after installing the aforementioned update.