0

I've deployed a Docker container in Azure App Services. I have a public API that I can call, which returns "Hello world".

I would like to use Azure Managed Identity in my app, so I enabled it in Azure portal. I enabled the "System assigned" one, following this documentation: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet

After enabling the Managed Identity, my web app stops working. Restarting it doesn't help. Disabling the Managed identity fixes it.

If I try to call my API I get an error: ":( Application Error If you are the application administrator, you can access the diagnostic resources."

It's not just my API, it's the whole application that stops working. If I try to navigate to https://[myApp].azurewebsites.net I get the same error. Without Managed Identity, I get "404 page not found" when navigating to this address.

Has anyone encountered this? How to fix it?

Update: I could not reproduce it with the sample "Static site" container, so it has to be somehow related to the container that we deploy. But I don't understand what could cause it - does enabling the Managed Identity somehow change (reduce) things that the app can do?

Update 2: The container contains a Go application that uses Azure SDK to authenticate with AAD. It seems to us that this authentication attempt makes the whole app crash during startup, if Managed Identity is enabled. Our intention is to get a secret from Azure Key Vault, using Managed Identity. Then use this secret to authenticate with AAD. Right now our app doesn't even attempt to talk with the Managed Identity service.

Nikolaos
  • 3
  • 4
  • _Right now our app doesn't even attempt to talk with the Managed Identity service._ - what does that mean exactly? There are container logs (stdout/stderr and docker host) you can look at, that should give you a starting point debugging this, https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#access-log-files. By the way, Application Settings are encrypted in App Service at rest, just in case that's the attack vector you're addressing with Key Vault. – evilSnobu Dec 11 '19 at 15:05
  • What I mean is that we simply enabled Managed Identity for this web app in Azure Portal. But our app doesn't yet have any logic to use it. Simply activating it seems to change something. We checked the logs and our app crashes upon startup when trying to authenticate with AAD, using Azure SDK for Go. We are now trying to bypass the Azure SDK for Go and see if it helps, or at least provides more meaningful failure mode. Yes, the purpose of using Managed Identity & Key Vault is to avoid storing a secret in environment variables. – Nikolaos Dec 11 '19 at 17:09
  • Interesting, could be something specific to the Azure SDK for Go. Haven't seen this before. If you can source more failure detail i'd open an issue in [their repo](https://github.com/Azure/azure-sdk-for-go). – evilSnobu Dec 11 '19 at 19:43
  • This is what we found out: The moment we define MSI_SECRET as blank (existing, but blank; nonexistent is fine), the SDK crashes. It seems that we are now able to get past this issue. – Nikolaos Dec 12 '19 at 09:42
  • @Nikolaos can further elaborate your solution? Did you define MSI_SECRET on your own? Where did you define it? – Robar Dec 21 '20 at 08:32

1 Answers1

0

Summarize comment into reply to let others more clear to find solution.

The moment we define MSI_SECRET as blank (existing, but blank; nonexistent is fine), the SDK crashes.

So define the MSI_SECRET value as it is show in KUDU environment.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30