Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Handling all errors instead of just 403 in ManagedIdentitySource causes unexpected regression error #46709

Closed
nikolaia opened this issue Oct 18, 2024 · 11 comments · Fixed by #46711
Closed

[BUG] Handling all errors instead of just 403 in ManagedIdentitySource causes unexpected regression error #46709

nikolaia opened this issue Oct 18, 2024 · 11 comments · Fixed by #46711
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@nikolaia
Copy link

Library name and version

Azure.Identity 1.13.0

Describe the bug

When updating from 1.12.1 to 1.13.0 I get a regression error with AzureDefaultCredential usage (in a .NET app) inside Github Actions using Federated Credentials for a UAI to migrate my database.

I'm relying on the AzureCliCredentials inside my action, but the following change seems to stop the credential chain because the github action has a endpoint that responds with Bad Request: https://github.com/Azure/azure-sdk-for-net/pull/45236/files#diff-72571e3cca761ecd73c5855b39621f8883c8ee115319a0ecbb629deb5b8c0513L85

Expected behavior

DefaultAzureCredentials() is not able to get a managed identity and proceeds through the default chain to AzureCliCredential

With 1.12.1 I get:

Build started...
Build succeeded.
No migrations were applied. The database is already up to date.
Done.

Actual behavior

The IMDS endpoint responds with 400 Bad Request and stops the chain.

With 1.13.0 I get:

Build started...
Build succeeded.
Npgsql.NpgsqlException (0x80004005): An exception was thrown from the periodic password provider
 ---> Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: a366dbbd-5d47-405d-b636-dc4d8bca40d5
Date: Fri, 18 Oct 2024 14:21:55 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> MSAL.NetCore.4.65.0.0.MsalServiceException:
	ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: a366dbbd-5d47-405d-b636-dc4d8bca40d5
Date: Fri, 18 Oct 2024 14:21:55 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
   at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Infrastructure.DatabaseContext.<>c__DisplayClass6_0.<<OnConfiguring>b__1>d.MoveNext() in /home/runner/work/someproject/api/src/Infrastructure/DatabaseContext.cs:line 34
--- End of stack trace from previous location ---
   at Npgsql.NpgsqlDataSource.RefreshPassword()
   at Npgsql.NpgsqlDataSource.RefreshPassword()
   at Npgsql.NpgsqlDataSource.<GetPassword>g__GetInitialPeriodicPassword|83_0(Boolean async)
   at Npgsql.NpgsqlConnection.CloneWith(String connectionString)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlRelationalConnection.CloneWith(String connectionString)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlDatabaseCreator.Exists(Boolean async, CancellationToken cancellationToken)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlDatabaseCreator.Exists()
   at Microsoft.EntityFrameworkCore.Migrations.HistoryRepository.Exists()
   at Microsoft.EntityFrameworkCore.Migrations.HistoryRepository.GetAppliedMigrations()
   at Npgsql.EntityFrameworkCore.PostgreSQL.Migrations.Internal.NpgsqlMigrator.Migrate(String targetMigration)
   at Microsoft.EntityFrameworkCore.Design.Internal.MigrationsOperations.UpdateDatabase(String targetMigration, String connectionString, String contextType)
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.UpdateDatabaseImpl(String targetMigration, String connectionString, String contextType)
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.UpdateDatabase.<>c__DisplayClass0_0.<.ctor>b__0()
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.OperationBase.Execute(Action action)
An exception was thrown from the periodic password provider
Error: Process completed with exit code 1.

Reproduction Steps

This is the code I use with Npsql inside my DbContext to get a token:

TokenCredential tokenCredential = string.IsNullOrEmpty(config.Value.UserAssignedManagedIdentityClientId)
    ? new DefaultAzureCredential()
    : new ManagedIdentityCredential(config.Value.UserAssignedManagedIdentityClientId);

var accessToken = await tokenCredential.GetTokenAsync(
    new TokenRequestContext(["https://ossrdbms-aad.database.windows.net/.default"]),
    cancellationToken
);

return accessToken.Token;

The config value is set in my Container App, but in the github action it logs in with a seperate UAI (with Federated Credentials setup up) that can do migrations on the database:

  - name: Azure login
    uses: azure/login@v2
    with:
      client-id: ${{ secrets.AZURE_CLIENT_ID }}
      tenant-id: ${{ secrets.AZURE_TENANT_ID }}
      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

Environment

This is inside a Github Action:

  deploy_api:
    name: deploy-api
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    needs: build_and_test
    env:
      DATABASE_SERVER: xxxxxxxx
      DATABASE_NAME: xxxxxxxx
      DATABASE_USER_ID: xxxxxxxxxxx
    steps:
      - uses: actions/checkout@v4

      - name: Setup .NET Core
        uses: actions/setup-dotnet@v3
        with:
          global-json-file: ./api/global.json

      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Install EF tools
        working-directory: api
        run: dotnet tool install --global dotnet-ef

      - name: Get access token and run database migrations
        working-directory: api
        env:
          InfrastructureConfig__ConnectionString: Host=${{env.DATABASE_SERVER}};Database=${{env.DATABASE_NAME}};Username=${{env.DATABASE_USER_ID}};Ssl Mode=Require
        run: |
          echo "connectionString=$InfrastructureConfig__ConnectionString"
          dotnet ef database update --project src/Infrastructure/ --startup-project src/Api
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Oct 18, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@christothes christothes mentioned this issue Oct 18, 2024
Merged
@neilduncan
Copy link

I've hit the same issue. I updated my code to use Azure.Identity 1.13.0, and am seeing the same error message in my logs.

In my case, I'm running an AzurePowerShell@5 step as part of a non-yaml DevOps release pipeline.

2024-10-21T11:19:35.2383128Z ##[error]Unhandled exception. Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: d11f61d9-6399-4609-a78e-87b5bba441aa
Date: Mon, 21 Oct 2024 11:19:24 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> MSAL.NetCore.4.65.0.0.MsalServiceException:
	ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: d11f61d9-6399-4609-a78e-87b5bba441aa
Date: Mon, 21 Oct 2024 11:19:24 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
   at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Identity.DefaultAzureCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.SetResultOnTcsFromCredentialAsync(TokenRequestContext context, TaskCompletionSource`1 targetTcs, Boolean async, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task`1 task)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.TokenRequestState.GetCurrentHeaderValue(Boolean async, Boolean checkForCompletion, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequest(HttpMessage message, TokenRequestContext context)
   at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallenge(HttpMessage message)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
   at Azure.Core.Pipeline.RedirectPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
   at Azure.Core.Pipeline.RetryPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipeline.Send(HttpMessage message, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.HttpPipeline.SendRequest(Request request, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.KeyVaultPipeline.GetPage[T](Uri firstPageUri, String nextLink, Func`1 itemFactory, String operationName, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.Secrets.SecretClient.<>c__DisplayClass15_0.<GetPropertiesOfSecrets>b__0(String nextLink)
   at Azure.Core.PageResponseEnumerator.<>c__DisplayClass0_0`1.<CreateEnumerable>b__0(String continuationToken, Nullable`1 pageSizeHint)
   at Azure.Core.PageResponseEnumerator.FuncPageable`1.AsPages(String continuationToken, Nullable`1 pageSizeHint)+MoveNext()
   at Azure.Pageable`1.GetEnumerator()+MoveNext()
   at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load()
   at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
   at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
   at Microsoft.Extensions.Hosting.HostBuilder.InitializeAppConfiguration()
   at Microsoft.Extensions.Hosting.HostBuilder.Build()
   at Program.<<Main>$>g__Run|0_4(Action`1 configureAppConfiguration, Func`2 getConnectionString) in D:\a\1\s\GC.Azure.Api.Visits.DbUp\Program.cs:line 29
   at Program.<<Main>$>g__RunWithKeyVault|0_6(KeyVaultOptions keyVaultOptions) in D:\a\1\s\GC.Azure.Api.Visits.DbUp\Program.cs:line 53
   at Program.<>c.<<<Main>$>b__0_2>d.MoveNext() in D:\a\1\s\GC.Azure.Api.Visits.DbUp\Program.cs:line 16
--- End of stack trace from previous location ---
   at Program.<Main>$(String[] args) in D:\a\1\s\GC.Azure.Api.Visits.DbUp\Program.cs:line 13
   at Program.<Main>(String[] args)

@christothes
Copy link
Member

Hi @nikolaia - would you be willing to validate that this version dev build from our public dev NuGet feed of Azure.Identity resolves the {"error":"invalid_request","error_description":"Identity not found"} issue?

dev build package link

@nikolaia
Copy link
Author

nikolaia commented Oct 23, 2024
edited
Loading

@christothes: I've tested with 1.14.0-alpha.20241022.1 and seem to hit the same issue:

Run dotnet nuget add source --name azure-sdk-for-net "https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json"
Package source with Name: azure-sdk-for-net added successfully.
<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>
    <ItemGroup>
        <PackageReference Include="Azure.Identity" Version="1.14.0-alpha.20241022.1" />
        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.10" />
        <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0"/>
        <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.1" />
        <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0"/>
        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.10" />
    </ItemGroup>
    <ItemGroup>
        <ProjectReference Include="..\Application\Application.csproj"/>
    </ItemGroup>
    <ItemGroup>
      <Folder Include="Migrations\" />
    </ItemGroup>
</Project>
Build started...
Build succeeded.
Npgsql.NpgsqlException (0x80004005): An exception was thrown from the periodic password provider
 ---> Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: ea30c8a2-8827-43bc-8a17-ce15219e2862
Date: Wed, 23 Oct 2024 06:37:09 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> MSAL.NetCore.4.65.0.0.MsalServiceException:
	ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: ea30c8a2-8827-43bc-8a17-ce15219e2862
Date: Wed, 23 Oct 2024 06:37:09 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
   at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Infrastructure.DependencyInjection.<>c__DisplayClass0_0.<<AddInfrastructure>b__2>d.MoveNext() in /home/runner/work/xxx/api/src/Infrastructure/DependencyInjection.cs:line 37
--- End of stack trace from previous location ---
   at Npgsql.NpgsqlDataSource.RefreshPassword()
   at Npgsql.NpgsqlDataSource.RefreshPassword()
   at Npgsql.NpgsqlDataSource.<GetPassword>g__GetInitialPeriodicPassword|83_0(Boolean async)
   at Npgsql.NpgsqlConnection.CloneWith(String connectionString)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlRelationalConnection.CloneWith(String connectionString)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlDatabaseCreator.Exists(Boolean async, CancellationToken cancellationToken)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlDatabaseCreator.Exists()
   at Microsoft.EntityFrameworkCore.Migrations.HistoryRepository.Exists()
   at Microsoft.EntityFrameworkCore.Migrations.HistoryRepository.GetAppliedMigrations()
   at Npgsql.EntityFrameworkCore.PostgreSQL.Migrations.Internal.NpgsqlMigrator.Migrate(String targetMigration)
   at Microsoft.EntityFrameworkCore.Design.Internal.MigrationsOperations.UpdateDatabase(String targetMigration, String connectionString, String contextType)
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.UpdateDatabaseImpl(String targetMigration, String connectionString, String contextType)
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.UpdateDatabase.<>c__DisplayClass0_0.<.ctor>b__0()
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.OperationBase.Execute(Action action)
An exception was thrown from the periodic password provider

Downgrading to 1.12.1 without any other change solves it:

Run dotnet nuget add source --name azure-sdk-for-net "https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json"
Package source with Name: azure-sdk-for-net added successfully.
<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>

    <ItemGroup>
        <PackageReference Include="Azure.Identity" Version="1.12.1" />
        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.10" />
        <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0"/>
        <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.1" />
        <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0"/>
        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.10" />
    </ItemGroup>

    <ItemGroup>
        <ProjectReference Include="..\Application\Application.csproj"/>
    </ItemGroup>

    <ItemGroup>
      <Folder Include="Migrations\" />
    </ItemGroup>

</Project>
Build started...
Build succeeded.
...
{"Timestamp":"2024-10-23T06:46:40.7289720+00:00","Level":"Information","Message":"No migrations were applied. The database is already up to date.","EventId":{"Id":20405,"Name":"Microsoft.EntityFrameworkCore.Migrations.MigrationsNotApplied"},"SourceContext":"Microsoft.EntityFrameworkCore.Migrations"}
Done.

@christothes
Copy link
Member

Thanks @nikolaia - I'd like to confirm what the response looks like from the request to the IMDS endpoint, because the updated code should be handling responses like {"error":"invalid_request","error_description":"Identity not found"}.

Would you mind providing the logging output (with any secrets redacted) after reproducing this with logging enabled?

@christothes christothes reopened this Oct 23, 2024
@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Oct 23, 2024
@github-actions github-actions bot removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Oct 23, 2024
@github-actions GitHub Actions
Copy link

Hi @nikolaia. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@nikolaia
Copy link
Author

@christothes

Run dotnet nuget add source --name azure-sdk-for-net "https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json"
  
Package source with Name: azure-sdk-for-net added successfully.
<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>
    <ItemGroup>
        <PackageReference Include="Azure.Identity" Version="1.14.0-alpha.20241022.1" />
        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.10" />
        <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0"/>
        <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.1" />
        <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0"/>
        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.10" />
    </ItemGroup>
    <ItemGroup>
        <ProjectReference Include="..\Application\Application.csproj"/>
    </ItemGroup>
    <ItemGroup>
      <Folder Include="Migrations\" />
    </ItemGroup>
</Project>
Build started...
Build succeeded.
[Informational] Azure-Identity: DefaultAzureCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: EnvironmentCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
[Informational] Azure-Identity: WorkloadIdentityCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: WorkloadIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
[Informational] Azure-Identity: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: ManagedIdentitySource TokenExchangeManagedIdentitySource was attempted. IsSelected=False.
[Informational] Azure-Core: Request [73cb7a3b-9581-447d-882a-75c202664557] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
x-ms-client-request-id:73cb7a3b-9581-447d-882a-75c202664557
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.14.0-alpha.20241022.1 (.NET 8.0.10; Ubuntu 22.04.5 LTS)
client assembly: Azure.Identity
Warning:  Azure-Core: Error response [73cb7a3b-9581-447d-882a-75c202664557] 400 Bad Request (00.1s)
Server:IMDS/150.870.65.1475
x-ms-request-id:b4bfdb03-c975-4277-95ff-725726a322fd
Date:Wed, 23 Oct 2024 20:50:18 GMT
Content-Type:application/json; charset=utf-8
Content-Length:88
[Informational] Azure-Core: Error response [73cb7a3b-9581-447d-882a-75c202664557] content: {"error":"invalid_request","error_description":"Required metadata header not specified"}
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] MSAL MSAL.NetCore with assembly version '4.65.0.0'. CorrelationId(74a75c12-341d-4994-adaa-aef00a87bef7)
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] === AcquireTokenForManagedIdentityParameters ===
ForceRefresh: False
Resource: https://ossrdbms-aad.database.windows.net/
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] 
=== Request Data ===
Authority Provided? - True
Scopes - https://ossrdbms-aad.database.windows.net/
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenForSystemAssignedManagedIdentity
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 74a75c12-341d-4994-adaa-aef00a87bef7
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] === Token Acquisition (ManagedIdentityAuthRequest) started:
	 Scopes: https://ossrdbms-aad.database.windows.net/
	Authority Host: login.microsoftonline.com
[LogAlways] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [Internal cache] Total number of cache partitions found while getting access tokens: 0
[LogAlways] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: system_assigned_managed_identity_managed_identity_AppTokenCache
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [ManagedIdentityRequest] No cached access token. Getting a token from the managed identity endpoint.
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [ManagedIdentityRequest] Checking for a cached access token.
[LogAlways] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [Internal cache] Total number of cache partitions found while getting access tokens: 0
[LogAlways] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: system_assigned_managed_identity_managed_identity_AppTokenCache
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [ManagedIdentityRequest] Acquiring a token from the managed identity endpoint.
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [Region discovery] Not using a regional authority. 
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [Instance Discovery] Skipping Instance discovery because it is disabled. 
Warning:  Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [Managed Identity] Azure Arc managed identity cannot be configured on a platform other than Windows and Linux.
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [Managed Identity] Defaulting to IMDS endpoint for managed identity.
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] [Managed Identity] Sending request to managed identity endpoints.
[Informational] Azure-Core: Request [9a89089a-ee27-4c46-a59b-78f4cefd88cd] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
Metadata:REDACTED
x-ms-client-request-id:9a89089a-ee27-4c46-a59b-78f4cefd88cd
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.14.0-alpha.20241022.1 (.NET 8.0.10; Ubuntu 22.04.5 LTS)
client assembly: Azure.Identity
Warning:  Azure-Core: Error response [9a89089a-ee27-4c46-a59b-78f4cefd88cd] 400 Bad Request (00.0s)
Server:IMDS/150.870.65.1475
x-ms-request-id:c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date:Wed, 23 Oct 2024 20:50:18 GMT
Content-Type:application/json; charset=utf-8
Content-Length:68
[Informational] Azure-Core: Error response [9a89089a-ee27-4c46-a59b-78f4cefd88cd] content: {"error":"invalid_request","error_description":"Identity not found"}
[Informational] Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] Response status code does not indicate success: 400 (BadRequest). 
Warning:  Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] Request retry failed.
Error:  Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:18Z - 74a75c12-341d-4994-adaa-aef00a87bef7] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date: Wed, 23 Oct 2024 20:50:18 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
Error:  Azure-Identity: False MSAL 4.65.0.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-23 20:50:19Z - 74a75c12-341d-4994-adaa-aef00a87bef7] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: managed_identity_request_failed
HTTP StatusCode 0
CorrelationId 74a75c12-341d-4994-adaa-aef00a87bef7
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
[Informational] Azure-Identity: ManagedIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date: Wed, 23 Oct 2024 20:50:18 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> Microsoft.Identity.Client.MsalServiceException (0x80131500): [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date: Wed, 23 Oct 2024 20:50:18 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
[Informational] Azure-Identity: DefaultAzureCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date: Wed, 23 Oct 2024 20:50:18 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> Microsoft.Identity.Client.MsalServiceException (0x80131500): [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date: Wed, 23 Oct 2024 20:50:18 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
Npgsql.NpgsqlException (0x80004005): An exception was thrown from the periodic password provider
 ---> Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date: Wed, 23 Oct 2024 20:50:18 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> MSAL.NetCore.4.65.0.0.MsalServiceException:
	ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: c36319fd-6729-4d73-86b7-f3a63b38f2f8
Date: Wed, 23 Oct 2024 20:50:18 GMT
[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
   at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Infrastructure.DependencyInjection.<>c__DisplayClass0_0.<<AddInfrastructure>b__2>d.MoveNext() in /home/runner/work/xxx/api/src/Infrastructure/DependencyInjection.cs:line 47
--- End of stack trace from previous location ---
   at Npgsql.NpgsqlDataSource.RefreshPassword()
   at Npgsql.NpgsqlDataSource.RefreshPassword()
   at Npgsql.NpgsqlDataSource.<GetPassword>g__GetInitialPeriodicPassword|83_0(Boolean async)
   at Npgsql.NpgsqlConnection.CloneWith(String connectionString)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlRelationalConnection.CloneWith(String connectionString)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlDatabaseCreator.Exists(Boolean async, CancellationToken cancellationToken)
   at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlDatabaseCreator.Exists()
   at Microsoft.EntityFrameworkCore.Migrations.HistoryRepository.Exists()
   at Microsoft.EntityFrameworkCore.Migrations.HistoryRepository.GetAppliedMigrations()
   at Npgsql.EntityFrameworkCore.PostgreSQL.Migrations.Internal.NpgsqlMigrator.Migrate(String targetMigration)
   at Microsoft.EntityFrameworkCore.Design.Internal.MigrationsOperations.UpdateDatabase(String targetMigration, String connectionString, String contextType)
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.UpdateDatabaseImpl(String targetMigration, String connectionString, String contextType)
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.UpdateDatabase.<>c__DisplayClass0_0.<.ctor>b__0()
   at Microsoft.EntityFrameworkCore.Design.OperationExecutor.OperationBase.Execute(Action action)
An exception was thrown from the periodic password provider
Error: Process completed with exit code 1.

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Oct 23, 2024
@christothes
Copy link
Member

Thanks - I got a local repro and I believe this is now fixed with #46787

@christothes
Copy link
Member

@nikolaia Would you mind verifying with your repro also using this latest build? 1.14.0-alpha.20241023.3

@nikolaia
Copy link
Author

@christothes seems to work fine with the latest alpha.20241023.3-package 🙌 :

Run dotnet nuget add source --name azure-sdk-for-net "https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json"
Package source with Name: azure-sdk-for-net added successfully.
<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>

    <ItemGroup>
        <PackageReference Include="Azure.Identity" Version="1.14.0-alpha.20241023.3" />
        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.10" />
        <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0"/>
        <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.1" />
        <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0"/>
        <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.10" />
    </ItemGroup>

    <ItemGroup>
        <ProjectReference Include="..\Application\Application.csproj"/>
    </ItemGroup>

    <ItemGroup>
      <Folder Include="Migrations\" />
    </ItemGroup>

</Project>
Build started...
Build succeeded.
[Informational] Azure-Identity: DefaultAzureCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: EnvironmentCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
[Informational] Azure-Identity: WorkloadIdentityCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: WorkloadIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
[Informational] Azure-Identity: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: ManagedIdentitySource TokenExchangeManagedIdentitySource was attempted. IsSelected=False.
[Informational] Azure-Core: Request [2d5ed3c5-eb8f-497f-82ca-35085a9445e8] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
x-ms-client-request-id:2d5ed3c5-eb8f-497f-82ca-35085a9445e8
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.14.0-alpha.20241023.3 (.NET 8.0.10; Ubuntu 22.04.5 LTS)
client assembly: Azure.Identity
Warning:  Azure-Core: Error response [2d5ed3c5-eb8f-497f-82ca-35085a9445e8] 400 Bad Request (00.1s)
Server:IMDS/150.870.65.1475
x-ms-request-id:7bb89c5a-525b-4a82-b3d6-3d2a23fdc532
Date:Thu, 24 Oct 2024 09:06:13 GMT
Content-Type:application/json; charset=utf-8
Content-Length:88

[Informational] Azure-Core: Error response [2d5ed3c5-eb8f-497f-82ca-35085a9445e8] content: {"error":"invalid_request","error_description":"Required metadata header not specified"}
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] MSAL MSAL.NetCore with assembly version '4.66.1.0'. CorrelationId(2e8bf5f1-6008-4274-8d84-25c9cc666f77)
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] === AcquireTokenForManagedIdentityParameters ===
ForceRefresh: False
Resource: https://ossrdbms-aad.database.windows.net/
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] 
=== Request Data ===
Authority Provided? - True
Scopes - https://ossrdbms-aad.database.windows.net/
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenForSystemAssignedManagedIdentity
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 2e8bf5f1-6008-4274-8d84-25c9cc666f77
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] === Token Acquisition (ManagedIdentityAuthRequest) started:
	 Scopes: https://ossrdbms-aad.database.windows.net/
	Authority Host: login.microsoftonline.com
[LogAlways] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [Internal cache] Total number of cache partitions found while getting access tokens: 0
[LogAlways] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: system_assigned_managed_identity_managed_identity_AppTokenCache
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [ManagedIdentityRequest] No cached access token. Getting a token from the managed identity endpoint.
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [ManagedIdentityRequest] Checking for a cached access token.
[LogAlways] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [Internal cache] Total number of cache partitions found while getting access tokens: 0
[LogAlways] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: system_assigned_managed_identity_managed_identity_AppTokenCache
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [ManagedIdentityRequest] Acquiring a token from the managed identity endpoint.
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [Region discovery] Not using a regional authority. 
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [Instance Discovery] Skipping Instance discovery because it is disabled. 
Warning:  Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [Managed Identity] Azure Arc managed identity cannot be configured on a platform other than Windows and Linux.
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [Managed Identity] Defaulting to IMDS endpoint for managed identity.
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:13Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] [Managed Identity] Sending request to managed identity endpoints.
[Informational] Azure-Core: Request [38c74b1d-4f4d-424a-8904-e2f5eb236f35] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
Metadata:REDACTED
x-ms-client-request-id:38c74b1d-4f4d-424a-8904-e2f5eb236f35
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.14.0-alpha.20241023.3 (.NET 8.0.10; Ubuntu 22.04.5 LTS)
client assembly: Azure.Identity
Warning:  Azure-Core: Error response [38c74b1d-4f4d-424a-8904-e2f5eb236f35] 400 Bad Request (00.0s)
Server:IMDS/150.870.65.1475
x-ms-request-id:1353d12b-40de-481b-8cdf-503745523bd2
Date:Thu, 24 Oct 2024 09:06:13 GMT
Content-Type:application/json; charset=utf-8
Content-Length:68

[Informational] Azure-Core: Error response [38c74b1d-4f4d-424a-8904-e2f5eb236f35] content: {"error":"invalid_request","error_description":"Identity not found"}
[Informational] Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:14Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] Response status code does not indicate success: 400 (BadRequest). 
Warning:  Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:14Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] Request retry failed.
Error:  Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:14Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: 1353d12b-40de-481b-8cdf-503745523bd2
Date: Thu, 24 Oct 2024 09:06:13 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
Error:  Azure-Identity: False MSAL 4.66.1.0 MSAL.NetCore .NET 8.0.10 Linux [2024-10-24 09:06:14Z - 2e8bf5f1-6008-4274-8d84-25c9cc666f77] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: managed_identity_request_failed
HTTP StatusCode 0
CorrelationId 2e8bf5f1-6008-4274-8d84-25c9cc666f77
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

[Informational] Azure-Identity: ManagedIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
 ---> Microsoft.Identity.Client.MsalServiceException (0x80131500): [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: 1353d12b-40de-481b-8cdf-503745523bd2
Date: Thu, 24 Oct 2024 09:06:13 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
[Informational] Azure-Identity: VisualStudioCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: VisualStudioCredential.GetToken was unable to retrieve an access token. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): Visual Studio Token provider can't be accessed at /home/runner/.IdentityService/AzureServiceAuth/tokenprovider.json
 ---> System.IO.DirectoryNotFoundException (0x80070003): Could not find a part of the path '/home/runner/.IdentityService/AzureServiceAuth/tokenprovider.json'.
[Informational] Azure-Identity: AzureCliCredential.GetToken invoked. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId: 
[Informational] Azure-Identity: AzureCliCredential.GetToken succeeded. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  ExpiresOn: 2024-10-25T09:06:13.0000000+00:00
[Informational] Azure-Identity: DefaultAzureCredential credential selected: Azure.Identity.AzureCliCredential
[Informational] Azure-Identity: DefaultAzureCredential.GetToken succeeded. Scopes: [ https://ossrdbms-aad.database.windows.net/.default ] ParentRequestId:  ExpiresOn: 2024-10-25T09:06:13.0000000+00:00

@christothes
Copy link
Member

This is now available on the public nuget as 1.13.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Let DAC chain continue for 400 responses with 'Identity not found' christothes/azure-sdk-for-net
3 participants
@nikolaia @neilduncan @christothes