0

  1. Created a User Assigned Managed Identity Azure Resource

  2. I deployed the Container Group with User Managed Identity as shown below: image

  3. Provided access to User Identity for a given Keyvault

  4. Now when I am trying to access the keyvault using the following C# code, its throwing exception:

image

Exception Error loading KV settings:: One or more errors occurred. (Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxx. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxx. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxx. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxx. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. )

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Here is recent error in container logs:

Startup Exception occurred: ManagedIdentityCredential authentication failed: 'R' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.

Dadwals
  • 1,171
  • 2
  • 8
  • 15
  • Try to modify the first line of your code to `var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={ClientId of user-assigned identity}");`. – Joy Wang Sep 23 '20 at 06:48
  • @JoyWang: Now getting a different error: One or more errors occurred. (Parameters: Connection String: RunAs=App;AppId=XXXXXX, Resource: https://vault.azure.net, Authority: https://login.windows.net/XXXXXX. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.) – Dadwals Sep 23 '20 at 19:20
  • Just to add more context I am Creating the ACI Container Group on the Fly (i.e. the User Assigned MI is also attached at the time of creation) and container code run after that immediately. Do you think I need to put some delay in calling the keyvault here (because may be the resource are just warming up or something)? – Dadwals Sep 23 '20 at 19:28

1 Answers1

1

Putting a delay of 10 seconds before accessing keyvault solved the problem. but still randomly failing with the following error:

"ManagedIdentityCredential authentication failed: 'R' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0."
Dadwals
  • 1,171
  • 2
  • 8
  • 15
  • 2022-02-13, this is still a problem. My container would fail to acquire credentials about 50% of the time. After a `sleep 10`, I haven't seen it fail yet after 50 runs or so. – askldjd Feb 13 '22 at 18:54