Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Not able to retrieve aks pod identity, identity not found #23290

Closed
ekersale opened this issue Aug 12, 2021 · 5 comments
Closed

[BUG] Not able to retrieve aks pod identity, identity not found #23290

ekersale opened this issue Aug 12, 2021 · 5 comments
Assignees
@christothes @schaabs
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@ekersale
Copy link

ekersale commented Aug 12, 2021
edited
Loading

Describe the bug
When the .Net core app try to get the token on an aks pod we get the following exception:

Headers:
Server: IMDS/150.870.65.512
Date: Wed, 11 Aug 2021 22:05:29 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 68

   at Azure.Identity.ImdsManagedIdentitySource.CreateRequest(String[] scopes)
   at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)<---

 ---> (Inner Exception #2) Azure.Identity.CredentialUnavailableException: Operating system Linux 5.4.0-1055-azure #57~18.04.1-Ubuntu SMP Fri Jul 16 19:40:19 UTC 2021 isn't supported.
   at Azure.Identity.VisualStudioCredential.GetTokenProviderPath()
   at Azure.Identity.VisualStudioCredential.GetTokenImplAsync(TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.VisualStudioCredential.GetTokenImplAsync(TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.VisualStudioCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)<---

 ---> (Inner Exception #3) Azure.Identity.CredentialUnavailableException: Stored credentials not found. Need to authenticate user in VSCode Azure Account.
 ---> System.DllNotFoundException: Unable to load shared library 'libsecret-1.so.0' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: Error loading shared library liblibsecret-1.so.0: No such file or directory
   at Azure.Identity.LinuxNativeMethods.Imports.secret_schema_new(String name, Int32 flags, String attribute1, Int32 attribute1Type, String attribute2, Int32 attribute2Type, IntPtr end)
   at Azure.Identity.LinuxNativeMethods.secret_schema_new(String name, SecretSchemaFlags flags, String attribute1, SecretSchemaAttributeType attribute1Type, String attribute2, SecretSchemaAttributeType attribute2Type)
   at Azure.Identity.LinuxVisualStudioCodeAdapter.GetLibsecretSchema()
   at Azure.Identity.LinuxVisualStudioCodeAdapter.GetCredentials(String serviceName, String accountName)
   at Azure.Identity.VisualStudioCodeCredential.GetStoredCredentials(String environmentName)
   --- End of inner exception stack trace ---
   at Azure.Identity.VisualStudioCodeCredential.GetStoredCredentials(String environmentName)
   at Azure.Identity.VisualStudioCodeCredential.GetTokenImplAsync(TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.VisualStudioCodeCredential.GetTokenImplAsync(TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.VisualStudioCodeCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)<---

 ---> (Inner Exception #4) Azure.Identity.CredentialUnavailableException: Azure CLI not installed
   at Azure.Identity.AzureCliCredential.RequestCliAccessTokenAsync(Boolean async, String[] scopes, CancellationToken cancellationToken)
   at Azure.Identity.AzureCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.AzureCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.AzureCliCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)<---

 ---> (Inner Exception #5) Azure.Identity.CredentialUnavailableException: PowerShell is not installed.
   at Azure.Identity.AzurePowerShellCredential.RequestAzurePowerShellAccessTokenAsync(Boolean async, String[] scopes, CancellationToken cancellationToken)
   at Azure.Identity.AzurePowerShellCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.AzurePowerShellCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.AzurePowerShellCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)<---

   --- End of inner exception stack trace ---
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at QuartzX.Services.Core.Services.CredentialService.GetTokenAsync(String[] scopes, String azureManagedIdentity, CancellationToken cancellationToken)
   at QuartzX.Services.Core.Sql.BaseDapperService`1.GetAccessTokenAsync()
   at QuartzX.Services.Core.Sql.BaseEntityDapperService`1.<>c__DisplayClass2_0`1.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Polly.AsyncPolicy.<>c__DisplayClass40_0.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Polly.Retry.AsyncRetryEngine.ImplementationAsync[TResult](Func`3 action, Context context, CancellationToken cancellationToken, ExceptionPredicates shouldRetryExceptionPredicates, ResultPredicates`1 shouldRetryResultPredicates, Func`5 onRetryAsync, Int32 permittedRetryCount, IEnumerable`1 sleepDurationsEnumerable, Func`4 sleepDurationProvider, Boolean continueOnCapturedContext)
   at Polly.AsyncPolicy.ExecuteAsync(Func`3 action, Context context, CancellationToken cancellationToken, Boolean continueOnCapturedContext)
   at QuartzX.Services.Core.Sql.BaseEntityDapperService`1.WithConnectionAsync[T](Func`2 callSql)
   at QuartzX.Lookup.Common.Service.LookupService.GetAllAsync() in F:\agent01\_work\2\s\QuartzX.Lookup.Common.Service\QuartzX.Sql.Core.Generators\QuartzX.Sql.Core.Generators.SqlClassGenerator\LookupService.g.procsql.cs:line 111
   at QuartzX.Lookups.ApiServer.Lookups.Controllers.LookupController.GetLookupsAsync() in F:\agent01\_work\2\s\QuartzX.Lookups.ApiServer\Controllers\Lookups\LookupController.cs:line 31
   at lambda_method88(Closure , Object )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Logged|12_1(ControllerActionInvoker invoker)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|24_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Logged|17_1(ResourceInvoker invoker)
   at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at QuartzX.WebApi.Common.Api.Helpers.Exceptions.ExceptionMiddleware.InvokeAsync(HttpContext httpContext)
[22:51:48 Microsoft.AspNetCore.Server.Kestrel [Error] Connection id ""0HMAT2F8D2DD2"", Request id ""0HMAT2F8D2DD2:00000003"": An unhandled exception was thrown by the application.
Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials.
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
- ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)

Content:
{"error":"invalid_request","error_description":"Identity not found"}

But on the same pod when we execute the following code:

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://database.windows.net/' -H Metadata:true

We got a correct answer with a valid token:

image

Also on our aad-pod-identity nmi the previous call generate the following entry:

image

But when we use the .Net Core implementation nothing react there.

Expected behavior
GetAccessToken() to be able to retrieve the token correctly.

To Reproduce
Use this implementation in an aks pod with aad-pod-identity handling pod identities.

public class CredentialService
    {
        private TokenCredential _tokenCredential;

        public CredentialService()
        {
        }

        public static TokenCredential GetNewCredential(string azureManagedIdentity)
        {
            if (!string.IsNullOrEmpty(azureManagedIdentity))
            {
                return new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = azureManagedIdentity });
            }

            return new DefaultAzureCredential();
        }

        public async Task GetTokenAsync(string[] scopes, string azureManagedIdentity, CancellationToken cancellationToken)
        {
            if (_tokenCredential == null)
            {
                _tokenCredential = GetNewCredential(azureManagedIdentity);
            }

            var accessToken = await _tokenCredential.GetTokenAsync(
                new TokenRequestContext(scopes), 
                cancellationToken);

            return accessToken.Token;
        }
    }

Environment:

  • Name and version of the Library package used: Azure.Identity v1.4
  • Hosting platform or OS and .NET runtime version: AKS Pod running docker 5.0-alpine with .Net Core 5.0
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 12, 2021
@jsquire jsquire added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Aug 12, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Aug 12, 2021
@jsquire
Copy link
Member

jsquire commented Aug 12, 2021

Thank you for your feedback. Tagging and routing to the team members best able to assist.

@christothes
Copy link
Member

Hi @ekersale - does this work after the pod has been up for a minute or so? The IMDS endpoint is usually not available immediately, and can cause behavior like this.

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Aug 12, 2021
@ghost ghost removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Aug 12, 2021
@ekersale
Copy link
Author

Hi @christothes, thank's for the reply but the code has been on our environment during a few days. So it can't come from that.

@ghost ghost added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Aug 13, 2021
@christothes
Copy link
Member

There must be something in your environment configured for Managed Identity or a process listening on the same endpoint - the ManagedIdentityCredential only attempts to connect to an endpoint if one of those environment variables is set, or the local only IMDS endpoint ip address (169.254. 169.254) has something listening on it.

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Aug 13, 2021
@ghost ghost removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Aug 13, 2021
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Aug 20, 2021
@ghost
Copy link

ghost commented Aug 20, 2021

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@ghost ghost closed this as completed Sep 8, 2021
@github-actions github-actions bot locked and limited conversation to collaborators Mar 27, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

@schaabs schaabs

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsquire @christothes @ekersale @schaabs