[AppConfig]: Error while reading Settings from Azure App Configuration

[ThorstenHans]

Bug Report

Environment

go 1.17

require (
	github.com/Azure/azure-sdk-for-go/sdk/appconfig/azappconfig v0.1.0
	github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0
	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.3.0
)

What happened?

Reading settings from Azure App Configuration (AppConfig) does not work. When using a connection string for authentication, requests fail with an HTTP 401 and HMAC-SHA256 error="invalid_token", error_description="Invalid Credential" provided as in the response header.

When authenticating with azidentity same underlying request fail with an HTTP 403. I had azidentity configured to re-use existing authentication token from Azure CLI (az).

Reading the same setting works perfectly fine via az appconfig kv show

What did you expect or want to happen?

I expect to retrieve the setting from AppConfig 😄

How can we reproduce it?

Here the fragment of the code used for authenticating with a connection string

func test(ctx context.Context, key string, label string, connectionString string) {
	client, err := azappconfig.NewClientFromConnectionString(connectionString, nil)
	// removed err handling because it does not matter for this conversation
	res, err := client.GetSetting(ctx, azappconfig.Setting{
		Key:   to.StringPtr(key),
		Label: to.StringPtr(label),
	}, nil)
	if err != nil {
		fmt.Printf("Error while reading setting: %s", err)
	}
}

Anything we should know about your environment.

local: I tested it on latest macOS (Intel)
cloud: see the following az script to spin up the required services:

appCfgName=foobar
rgName=rg-appcfg-sample
location=germanywestcentral

az group create -n $rgName -l $location
az appconfig create -n $appCfgName -g $rgName -l $location --sku Standard

[antkmsft]

Hi @ThorstenHans, can you check if you are using valid connection string?
I just checked locally, and I can run client_test.go against my App Configuration resource.
I also can run it with read-only connection string (commenting out the parts that modify setings).

A connection string should look this: "Endpoint=https://....azconfig.io;Id=...;Secret=..."

You can get it from here:

If you have a TokenCredential, you can use azappconfig.NewClient("url", tokenCredential, null) instead of NewClientFromConnectionString().

[ThorstenHans]

Hey @antkmsft

I double-checked the connection string. It was correct. I've also

• tried the read-only connection string
• re-generated all keys and tried both (read-write and read-only) again
• verified that public network access is enabled

It's keeps on throwing:

[Apr  7 07:38:46.787256] Retry: 
=====> Try=1 GET [https://fooooooooo.azconfig.io/kv/sname?api-version=1.0&label=dev]()
[Apr  7 07:38:46.787479] Request: ==> OUTGOING REQUEST (Try=1)
   GET [https://fooooooooo.azconfig.io/kv/sname?api-version=1.0&label=REDACTED]()
   Accept: application[/vnd.microsoft.appconfig.kv]()+json, application[/json](), application[/problem]()+json
   Authorization: REDACTED
   Sync-Token: REDACTED
   User-Agent: azsdk-go-azappconfiguration[/v0.1.0]() azsdk-go-azcore[/v0.22.0]() (go1.18; darwin)
   X-Ms-Content-Sha256: REDACTED
   X-Ms-Date: REDACTED

[Apr  7 07:38:46.866000] Response: ==> REQUEST[/RESPONSE]() (Try=1[/78.417155ms](), OpTime=78.452782ms) -- RESPONSE RECEIVED
   GET [https://fooooooooo.azconfig.io/kv/sname?api-version=1.0&label=REDACTED]()
   Accept: application[/vnd.microsoft.appconfig.kv]()+json, application[/json](), application[/problem]()+json
   Authorization: REDACTED
   Sync-Token: REDACTED
   User-Agent: azsdk-go-azappconfiguration[/v0.1.0]() azsdk-go-azcore[/v0.22.0]() (go1.18; darwin)
   X-Ms-Content-Sha256: REDACTED
   X-Ms-Date: REDACTED
   --------------------------------------------------------------------------------
   RESPONSE Status: 401 Unauthorized
   Access-Control-Allow-Credentials: REDACTED
   Access-Control-Allow-Origin: REDACTED
   Access-Control-Expose-Headers: REDACTED
   Content-Length: 0
   Date: Thu, 07 Apr 2022 05:38:46 GMT
   Server: openresty[/1.17.8.2]()
   Strict-Transport-Security: REDACTED
   Www-Authenticate: HMAC-SHA256 error="invalid_token", error_description="Invalid Credential"
   X-Ms-Correlation-Request-Id: REDACTED
   X-Ms-Request-Id: 87a8b387-d8c1-4190-8ccf-8f4272bd6638

[Apr  7 07:38:46.866032] Retry: response 401

[ThorstenHans]

since filing the issue, I've updated the version of go to 1.18

[antkmsft]

Thank you Thorsten, I was able to reproduce it - it has something to do with the region. It did not repro in West US, but does reproduce when using AppConfiguration deployed to Germany West Central.
The problem is still on the SDK size and not the Azure, because I wrote the identical code for .NET SDK, and it can work with the same connection string, when Go SDK fails. Connection string looks normal to me, BTW.
I'll keep investigating to find what is it that we do differently.

[antkmsft]

Thank you for finding this, @ThorstenHans! I have a fix (linked above), and there are reasons to think that Java, JS, and Python SDK may be also affected by this. .NET SDK is the only one that's ok. I will work with the other SDK teams, as well as the docs.microsoft.com team to correct code samples in this article: https://docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-hmac. It is also possible that it is actually the service that's being deployed to the German cloud is not up to the spec, and then the fix may go the other way, instead of fixing the SDK code, but I personally think it is less likely.

If you have a chance to apply the fix, please give it a try!

[ThorstenHans]

cool, thanks @antkmsft 🎉