I am trying to follow the Upload to Blob tutorial from here https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal - and want to use Managed Identity instead of the access key as that gets rotated and have added the Role Assignment from my App Service.
In my local - I test spinning up a BlobContainerClient with the client ID as such
string userAssignedClientId = ""; //Use Object/Principal ID from App Service - Webapps here
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });
When I try to use the client
await containerClient.CreateIfNotExistsAsync();
I get the error
ManagedIdentityCredential authentication failed: Managed Identity response was not in the expected format. Input does not contain any JSON tokens
I have checked the role and it seems to have Storage Blob Contributor - am I missing something here or given this is a Microsoft tutorial - and not much research is this a new feature that is still buggy?
I have also tried
services.Configure<AzureStorageConfig>(Configuration.GetSection("AzureStorageConfig"));
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
where my AppConfig has the details but I am confused on the Azure directory details. I thought you were able to only use your ObjectID/Principal ID in your Identity activated webapp per the instructions so I only entered in the ClientID - is that correct or will I actually need all the details including secret?
"AzureAd": {
"Instance": "",
"Domain": "",
"TenantId": "",
"ClientId": "Principal/Object Web App ID",
"ClientSecret": "",
"ClientCertificates": [
],
// the following is required to handle Continuous Access Evaluation challenges
"ClientCapabilities": [ "cp1" ],
"CallbackPath": "/signin-oidc"
},
"AzureStorageConfig": {
"AccountName": "<storage-account-name>",
"ContainerName": "<blob-container-name>"
},
