Azure App Service with User-Assigned Managed Identity crashes application

I have both a VMSS and multiple AppServices I would like to use the same User-Assigned Managed Service Identity. For the VMSS, I am able to assign the identity and use it to retrieve secrets from the Azure Key Vault with the following code:

var client = new SecretClient(new Uri(KeyVault), new DefaultAzureCredential());
var secret = client.GetSecret("secret-name");

The AppServices use ASP.NET Core 3.1, and so the recommended way to access Key Vault secrets is:
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={client id for the user-assigned managed identity elided}");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault("https://{my vault name}.vault.azure.net/", keyVaultClient, new DefaultKeyVaultSecretManager());

Note the connection string is derived from the ‘User-assigned identity for Azure resources’ scenario in this documentation.

The above code snippet throws the following exception:

2020-08-27T02:06:18.409648197Z Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id ellided} is not valid. Must contain ‘TenantId’ attribute and it must not be empty.
2020-08-27T02:06:18.409681697Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.ValidateAttribute(Dictionary`2 connectionSettings, String attribute, String connectionString)
2020-08-27T02:06:18.409688597Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.Create(String connectionString, String azureAdInstance)
2020-08-27T02:06:18.409693297Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider..ctor(String connectionString, String azureAdInstance)
2020-08-27T02:06:18.409697797Z at API.Program.<>c.b__1_0(HostBuilderContext context, IConfigurationBuilder config) in /tmp/8d84a2d16145d21/API/Program.cs:line 25
2020-08-27T02:06:18.409703497Z at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()
2020-08-27T02:06:18.409707797Z at Microsoft.Extensions.Hosting.HostBuilder.Build()

When I add the ‘TenantId’ as requested, the message changes to:

Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id elided};TenantId={tenant id elided} is not valid. Must contain at least one of CertificateStoreLocation or AppKey attributes.

The managed identity does not have a certificate, and I am trying to use MSI to avoid adding secrets to code or appsettings.

I have tried removing the ‘AppId’ and ‘TenantId’ part of the connection string as per the ‘Managed identities for Azure resources’ scenario which results in the following exception:

Unhandled exception. Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App, Resource: https://vault.azure.net, Authority: https://login.windows.net/b905ac32-5779-4bab-ac34-a8445e89f9e4. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. MSI ResponseCode: BadRequest, Response: {“statusCode”:400,”message”:”Unable to load requested managed identity.”,”correlationId”:”c8409322-357a-49d0-9686-453fb37cc4b4″}

I assume it’s trying to load the non-existing system-assigned identity. I have confirmed that Managed Identity is configured for the (Linux) WebApp instance through the Kudu console:

  Kudu Remote Execution Console Type 'exit' to reset this console.
  /home>env
  MSI_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
  IDENTITY_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
  IDENTITY_HEADER=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
  MSI_SECRET=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]

Is there an issue with MSI+AppService+Linux, or the documentation, or both, or the code samples, or the configuration, or my code?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Note: Microsoft.Azure.Services.AppAuthentication is no longer recommended to use with new Key Vault SDK. It is replaced with new Azure Identity library DefaultAzureCredentials available for .NET, Java, TypeScript and Python and should be used for all new development. More information can be found here: Authentication and the Azure SDK.

The VMSS code you posted is using the new KeyVault SDK which is fine.

But for App Service, since you are still on the legacy SDK (assuming by looking at your code), please check if you have the latest stable nuget of Microsoft.Azure.Services.AppAuthentication explicitly added to your project (assuming you continuing with the legacy SDK for now).

Also, I hope you have already added User Assigned Identity in the App service blade.

Azure App Service with User-Assigned Managed Identity crashes application


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x