1

I'm trying to run an Azure Function on my local dev machine. The function is configured to use User Assigned Managed Identity to access a Service Bus resource.

When I publish this function to Azure it works perfectly fine, however when I try to run it locally I get the following exception.

Azure.Identity: ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint. Azure.Core: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry. (A socket operation was attempted to an unreachable network. (169.254.169.254:80))

I am using ServiceBusTrigger bindings like so.

Function1.cs

[FunctionName("Function1")]
public void Run([ServiceBusTrigger("myqueue", Connection = "ServiceBusConnection")] string myQueueItem, ILogger log)
{
    log.LogInformation($"C# ServiceBus queue trigger function processed message: {myQueueItem}");
}

local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "ServiceBusConnection__clientId": "<my_uami_client_id",
    "ServiceBusConnection__credential": "managedIdentity",
    "ServiceBusConnection__fullyQualifiedNamespace": "my-service-bus.servicebus.windows.net"
  }
}

csproj package references

  <ItemGroup>
    <PackageReference Include="Azure.Identity" Version="1.8.0" />
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.ServiceBus" Version="5.9.0" />
    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.1.3" />
  </ItemGroup>

My Visual Studio IDE is configured to use my user account for Azure Service Authentication. From what I understand, VS should try to authenticate with DefaultAzureCredential and iterate through the following credential types: EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential, InteractiveBrowserCredential

I was expecting VS to successfully authenticate with my selected user account, but the exception message would suggest that it is failing at the ManagedIdentityCredential option.

Does anyone know what I might be missing here? Thanks in advance.

Krispy
  • 11
  • 4

3 Answers3

2

Managed Identities do not work locally. Under the hood, it uses a certificate, which is installed in the Azure resource, which, obviously, your local machine does not have.

Donny Kwitty
  • 327
  • 2
  • 15
  • Is that still true today? When I read the Microsoft documentation it states: _Local machines don't support managed identities for Azure resources. As a result, the Azure.Identity library uses your developer credentials to run in your local development environment. For local development, AzureServiceTokenProvider fetches tokens using Visual Studio, Azure command-line interface (CLI), or Azure AD Integrated Authentication. Each option is tried sequentially and the library uses the first option that succeeds_ – Krispy Apr 06 '23 at 09:30
  • Authenticate via Visual Studio _Developers using Visual Studio 2017 or later can authenticate an Azure AD account through the IDE. Applications using the DefaultAzureCredential or the VisualStudioCredential can then use this account to authenticate calls in their application when running locally._ – Krispy Apr 06 '23 at 09:32
0

You do not have a Managed Service Identity on your local machine.

But you do! Visual Studio uses the credentials of the logged in user of Visual Studio. So If you make use of the MSI while debugging locally make sure the user that is logged in into Visual Studio has the proper rights within Azure

Abdelrahman Elayashy
  • 530
  • 4
  • 14
-2

I managed to get access to another Azure subscription and I was able to successfully run my Azure Function locally - as described above.

Subsequently, I think the issue is somehow linked to the first subscription I was using. Anyway, I'm unblocked and the issue seemed to be at my end, so I'm closing this question now.

Krispy
  • 11
  • 4