Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Can not get secret from KeyVault on account of failing ManagedIdentityCredential GetToken method in Gov and China clouds #34077

Closed
JacobBovee opened this issue Feb 10, 2023 · 2 comments · Fixed by #34122
Closed

[BUG] Can not get secret from KeyVault on account of failing ManagedIdentityCredential GetToken method in Gov and China clouds #34077

JacobBovee opened this issue Feb 10, 2023 · 2 comments · Fixed by #34122
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization.

Comments

@JacobBovee
Copy link
Member

JacobBovee commented Feb 10, 2023
edited by christothes
Loading

Library name and version

Azure.Identity 1.8.2, Azure.Security.KeyVault.Secrets 4.4.0

Describe the bug

Hello, we are running into a scenario in the non-public clouds (reproduced in both UsGov and ChinaCloud) in which we are initializing a ManagedIdentityCredential, and using the resulting credential to initialize a secret client which we then use to obtain a secret from KeyVault. Unfortunately our call to GetSecret results in this error:

ManagedIdentityCredential authentication failed: 

 The application is configured for cloud login.microsoftonline.com and the request for a different cloud - login.microsoftonline.us. This is not supported - the app and the request must target the same cloud. 

See https://aka.ms/msal-net-authority-override for details
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot 

 The application is configured for cloud login.microsoftonline.com and the request for a different cloud - login.microsoftonline.us. This is not supported - the app and the request must target the same cloud. 

See https://aka.ms/msal-net-authority-override for details

We have the AuthorityHost set correctly and the managed identity is created in the correct cloud.

Through some manual testing I've found that if we initialize as a DefaultAzureCredential and pass in a managed identity client id the secrets library is able to successfully call GetToken on the DefaultAzureCredential which in turn successfully calls ManagedIdentityCredential's get token method! Here is some telemetry of one of our successful calls vs a failing call, notice that they are both in the end simply calling ManagedIdentityCredential's GetToken method.

09fc7a70-8c76-464f-ac36-54eb3bb2f1bf
e493137a-8a8d-4197-bdf3-d0022e4ced58

Thanks for taking a look, really appreciate any insight on this.

Expected behavior

In public cloud we are simply able to call GetSecret and the key vault returns our secret.

Actual behavior

As mentioned above in non-public clouds we are unable to access key vault.

Reproduction Steps

I've managed to reproduce it with just this:

ManagedIdentityCredential credential = new ManagedIdentityCredential("<client-id>", new TokenCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzureGovernment
});
var client = new SecretClient(new Uri("<vault-uri>"), credential);
var secret = await client.GetSecretAsync("<secret-name>");

And here is the code that runs successfully after using a default azure credential:

DefaultAzureCredential credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {
    ManagedIdentityClientId = "<client-id>",
    AuthorityHost = AzureAuthorityHosts.AzureGovernment,
});
var client = new SecretClient(new Uri("<vault-uri>"), credential);
var secret = await client.GetSecretAsync("<secret-name>");

Environment

Seen on both Azure App Service and Azure Service Fabric, both running Windows Server.
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 10, 2023
@pharring pharring mentioned this issue Feb 10, 2023
Closed
@jsquire jsquire added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Azure.Identity and removed needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Feb 10, 2023
@jsquire
Copy link
Member

jsquire commented Feb 10, 2023

//cc: @schaabs

@jsquire
Copy link
Member

jsquire commented Feb 10, 2023

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@christothes christothes mentioned this issue Feb 13, 2023
Merged
@christothes christothes removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Feb 15, 2023
@github-actions github-actions bot locked and limited conversation to collaborators May 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly pass options to ManagedIdentityCredential Azure/azure-sdk-for-net
3 participants
@jsquire @christothes @JacobBovee