Azure MSI forced token refresh

Question

I have long running jobs that use Azure MSI tokens to access ADLS Gen 2 storage. I am running into Azure server side token caching issue. This is my setup:

I request access token for a user managed identity from Azure, the default TTL is 8 hours.
That token is then given a long running job, say the job runs for 5 hours and finishes successfully.
Then my code requests a new token from Azure IMDS endpoint. Azure, returns me the same access token (now with effective TTL of 3 hours).
This token is given to a new long running job which fails after 3 hours.

I could not find any documentation on how to force a token refresh, so that when I request the second token it's expiry time is 8 hours after the second request. In fact I found a blog that says that force refresh is not possible.

This does not look right there should be a way to force a token refresh (get a new token with new expiry). Has anybody come across this issue and how did you solve it.

NOTE: The processes the job runs on does not have the ability to request tokens from Azure endpoint.

score 3 · Answer 1 · answered Nov 23 '19 at 09:34

3

Based on the docs, it does not seem there is a parameter for that.

In the token caching section they also mention:

On-the-wire calls to Azure AD result only when:

cache miss occurs due to no token in the managed identities for Azure resources subsystem cache

the cached token is expired

answered Nov 23 '19 at 09:34

juunas

54,244
13
113
149

That is my understanding so far, is there a workaround for this ? i.e. can you force clear cache for managed identity ? – Sandeep More Nov 23 '19 at 13:12
bumping up against this in production as well. Not able to force a MSI token refresh and am down in prod until it expires... Is there any way to flush the MSI token for a given resource? – cobolstinks Sep 03 '21 at 15:19

score 2 · Answer 2 · answered Jan 28 '20 at 03:01

2

I got in touch with Azure MSI team and I was told that this is a platform limitation and nothing can be done. Token can be refreshed 5 mins before expiry (7 hours 55 mins after creation time). I am told that in few months we should be able to force renew tokens after 2 - 3 hours.

answered Jan 28 '20 at 03:01

Sandeep More

655
1
6
22

Did you ever get an update on this? Very frustrating trying to test against this! thanks – Peter Nov 12 '20 at 08:51
1

Unfortunately no I did not, i had to monkey patch my code to handle this :( – Sandeep More Nov 16 '20 at 11:45

Azure MSI forced token refresh

2 Answers2