Update ManagedAppServiceToken constructor to accept and correctly process resource Id

[eamonoreilly]

Description

Managed identity within function application is not getting token automatically for vault.azure.net when using *-AzKeyVaultSecret cmdlets. If you set / retrieve a secret from key vault, it will return an unauthorized message.

Steps to reproduce

Enable managed identity on a function application.
Grant access to a secret for this managed identify
Run the following from a PowerShell function

Get-AzKeyVaultSecret -VaultName <contosovault> -Name <mysecret>

It will return unauthorized.

If you perform the request manually outside of the cmdlets, it works correctly.

$Vault = "contosovault"
$Secret = "testsecret"

$tokenAuthURI = $Env:MSI_ENDPOINT + "?resource=https://vault.azure.net&api-version=2017-09-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
$headers = @{ 'Authorization' = "Bearer $accessToken" }

$vaultSecret = "https://$Vault.vault.azure.net/secrets/" +$Secret + "?api-version=2016-10-01"

Invoke-RestMethod -Method GET -Uri $vaultSecret -Headers $headers

You can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-services-that-support-azure-ad-authentication for list of Resource Id that should work with managed identity in function app.

[TylerLeonhardt]

cc @joeyaiello @daxian-dbw for awareness

[markcowl]

@eamonoreilly @TylerLeonhardt Do you have a debug trace of a failed request? There are some KeyVaule cmdlets that also require Graph access.

[eamonoreilly]

Here is the debug information Mark.

2019-04-15T22:30:30.217 [Debug] DEBUG: 10:30:30 PM - GetAzureKeyVaultSecret begin processing with ParameterSet 'ByVaultName'.
2019-04-15T22:30:30.219 [Debug] DEBUG: 10:30:30 PM - using account id 'MSI@50342'...
2019-04-15T22:30:30.703 [Debug] DEBUG: [ADAL]: Information: 2019-04-15T22:30:30.6080621Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Serializing token cache with 0 items.
2019-04-15T22:30:30.705 [Debug] DEBUG: [ADAL]: Information: 2019-04-15T22:30:30.6090837Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Serializing token cache with 0 items.
2019-04-15T22:30:30.705 [Debug] DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '72f988bf-86f1-41af-91ab-2d7cd011db47', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://vault.azure.net', ValidateAuthority: 'True'
2019-04-15T22:30:30.706 [Debug] DEBUG: [HttpClientOperations]: Adding Header 'Metadata'
2019-04-15T22:30:30.712 [Debug] DEBUG: [HttpClientOperations]: Adding Header 'Secret'
2019-04-15T22:30:30.713 [Debug] DEBUG: [ADAL]: Information: 2019-04-15T22:30:30.6092254Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Serializing token cache with 0 items.
2019-04-15T22:30:30.713 [Debug] DEBUG: [ADAL]: Information: 2019-04-15T22:30:30.6092871Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Serializing token cache with 0 items.
2019-04-15T22:30:30.714 [Debug] DEBUG: Checking Cache request http://127.0.0.1:41257/MSI/token/?resource=https://management.azure.com/&api-version=2017-09-01
2019-04-15T22:30:30.714 [Debug] DEBUG: Cache Hit
2019-04-15T22:30:30.714 [Debug] DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://functionspowershell.vault.azure.net/secrets/testmsi/?api-version=7.0

Headers:
x-ms-client-request-id        : 87090c56-a8b0-4f0d-b73e-4713221f7e20
Accept-Language               : en-US

Body:
2019-04-15T22:30:30.715 [Debug] DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Unauthorized

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Server                        : Microsoft-IIS/10.0
WWW-Authenticate              : Bearer authorization="https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47", resource="https://vault.azure.net"
x-ms-keyvault-region          : southcentralus
x-ms-request-id               : dc7d93eb-6e43-4941-bdff-966db4d65def
x-ms-keyvault-service-version : 1.1.0.864
x-ms-keyvault-network-info    : addr=23.96.112.60;act_addr_fam=InterNetwork;
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET
Strict-Transport-Security     : max-age=31536000;includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Mon, 15 Apr 2019 22:30:30 GMT

Body:
2019-04-15T22:30:31.272 [Error] ERROR: Operation returned an invalid status code 'Unauthorized'
Microsoft.Azure.WebJobs.Script.Rpc.RpcException : Result: ERROR: Operation returned an invalid status code 'Unauthorized'
Exception: Operation returned an invalid status code 'Unauthorized'
Stack:    at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretWithHttpMessagesAsync(String vaultBaseUrl, String secretName, String secretVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetSecretAsync(IKeyVaultClient operations, String secretIdentifier, CancellationToken cancellationToken)
   at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.GetSecret(String vaultName, String secretName, String secretVersion)
   at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
2019-04-15T22:30:31.303 [Debug] DEBUG: AzureQoSEvent: CommandName - Get-AzKeyVaultSecret; IsSuccess - False; Duration - 00:00:00.9875746; Exception - Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Unauthorized'
   at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretWithHttpMessagesAsync(String vaultBaseUrl, String secretName, String secretVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetSecretAsync(IKeyVaultClient operations, String secretIdentifier, CancellationToken cancellationToken)
   at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.GetSecret(String vaultName, String secretName, String secretVersion)
   at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
2019-04-15T22:30:31.676 [Debug] DEBUG: Finish sending metric.
2019-04-15T22:30:31.677 [Debug] DEBUG: 10:30:31 PM - GetAzureKeyVaultSecret end processing.
2019-04-15T22:30:31.683 [Debug] DEBUG: 10:30:31 PM - GetAzureKeyVaultSecret end processing.

[eamonoreilly]

@markcowl I added a debug trace. Hopefully this is enough information to isolate what might be happening.
Thanks,
Eamon

[daxian-dbw]

@eamonoreilly Why is this issue closed?

[eamonoreilly]

@daxian-dbw Closed by mistake!. Thanks for the ping and I'm reopening.

[markcowl]

@eamonoreilly Thanks, that pinpoints exactly what the error is and where it occurs in the code. We will take a look.

[markcowl]

Description

ManagedAppServiceToken does not accept resource (token audience) and so cannot be used to authenticate data plane calls.

• Update ManagedAppServiceToken to accept resource (as geenric ManagedServiceToken does)
• Ensure that references to https://management.core.windows.net continue to be transformed into the resource manager audience (https:// manage,windowsazure.net)
• Add tests tpo verify that different token audiences are passed through in the query string to Managed Servic eappropriately

Cost: 4

[bingbing8]

When will the issue be fixed? I hit it when develop my azure function

[bingbing8]

@markcowl , @cormacpayne I got the same error when invoking Get-AzKeyVaultCertificate. Can I assume it is caused by the same issue? Before the issue got fixed, could you provide a workaround to get certificate outside cmdlet?

[Agazoth]

Still an issue. We do need this fixed.

[Agazoth]

The same issue exists in Set-AzKeyVaultSecret

[jvermast]

Can confirm this is still an issue.

[crutchcodes]

do you have an ETA on when this change will ship?

[cormacpayne]

The fix has been merged and will be available in the new version of Az released on 2019-06-18

[markcowl]

Closing as fixed.

[johnburns320]

Verified fix in Azure Automation runbooks. Thank you!

[bingbing8]

Is this fix available in ps function app yet? I still get Unauthorized error on a ps azure function when running Get-AzKeyVaultSecret from a ps function.
I checked the access policy of the keyvalue. msi of my function app has access to it

[eamonoreilly]

Make sure you have the latest modules in your requirements.psd1

If you go to Platform Features -> App service editor, you may need to update the Az modules to 2.* as they might be at 1.* still. I confirmed it worked with the latest 2.* module (https://www.powershellgallery.com/packages/Az/2.3.2)

@{
Az = '2.*'
}
Thanks,
Eamon

[bingbing8]

Thanks @eamonoreilly , after update the requirement, it works for me now