DefaultAzureCredential fails to get a token when attempted from an Azure Function with a VNet integration

[aangelisc]

• Package Name: @azure/identity
• Package Version: 1.3.0
• Operating system: Linux
• nodejs
  • version: 14
• browser
  • name/version:
• typescript
  • version: 4.4.0
• Is the bug related to documentation in
  • README.md
  • source code documentation
  • SDK API docs on https://docs.microsoft.com

Describe the bug
A clear and concise description of what the bug is.

When attempting to use the @azure/identity package in an Azure Function (Linux) with a VNet integration the GET request to the /msi/token endpoint fails with a 500 status code and the following error message:

More details:
unknown_error(status code 500).
More details:
An unknown error occurred and no additional details are available.
    at ManagedIdentityCredential.<anonymous> (/home/site/wwwroot/node_modules/@azure/identity/dist/index.js:1301:23)
    at Generator.throw (<anonymous>)
    at rejected (/home/site/wwwroot/node_modules/@azure/identity/node_modules/tslib/tslib.js:115:69)
    at process._tickCallback (internal/process/next_tick.js:68:7)
  statusCode: 500,
  errorResponse:
   { error: 'ManagedIdentityCredential authentication failed.',
     errorDescription:
      'unknown_error(status code 500).\nMore details:\nAn unknown error occurred and no additional details are available.',
     correlationId: undefined,
     errorCodes: undefined,
     timestamp: undefined,
     traceId: undefined },
  name: 'AuthenticationError' }

I can see that the request is made to the following endpoint: http://169.254.129.5:8081/msi/token?resource=https%3A%2F%2Fstorage.azure.com&api-version=2017-09-01

To Reproduce
Steps to reproduce the behavior:

1. Create a function app with a system-assigned managed identity
2. Integrate function app with VNet
3. Attempt to retrieve a token using the @azure/identity library (const defaultAzureCredential = new DefaultAzureCredential();)

Expected behavior
A clear and concise description of what you expected to happen.

The function app should successfully retrieve a token.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[aangelisc]

Any update on this?

[sadasant]

@aangelisc hello, Mr Christou. I’m Daniel. I’ll be doing my best to help you.

While I investigate this on my side, I would really appreciate if you could try the following:

const defaultAzureCredential = new DefaultAzureCredential();
defaultAzureCredential.getToken("https://graph.microsoft.com/.default")
  .then(result => console.log({ result }))
  .catch(error => console.error(error));

What result do you get when you run that? (please make sure to remove any token or sensitive information).

[sadasant]

@aangelisc I’ve tried to reproduce this issue today without success. Please let us know how it goes when you test with https://graph.microsoft.com/.default. This will help us identify if this is a permissions issue or an issue with the SDK.

[aangelisc]

Hi @sadasant,

I still receive the same error as before even with the getToken line added. What infrastructure were you using when you attempted to reproduce the issue?

[sadasant]

@aangelisc thank you for your response! Please give us some time to come up with a better answer.

[sadasant]

@aangelisc Hello, Mr. Christou.

I’m still trying to reproduce the issue. So far, I have been unable to. I’ll share the steps I’m following. Would you please let me know if you spot anything I should be doing differently? In the meantime, I’m trying to reach other people in my team to make sure they take a peek at the issue you’re reporting and the steps I’m following, in case they may know something I don’t.

Here are the steps I’m following:

• I’m creating a new Azure Function App.
  • Using the “Code” option for the Publish setting.
  • For the Runtime Stack: Node.js
  • Version: 14 LTS
  • Region: Central US
  • Operative System: Linux
  • Plan Type: Functions Premium (I picked this one since Consumption (Serverless) wouldn’t let me configure a VNet).
  • I am enabling Application Insights.
• I’m also creating a Virtual Network.
  • I’m using the same resource group as the resource group I used for my Azure Function App.
  • I’m using the same region I used for my Azure Function App, meaning: Central US.
  • I’m leaving all of the other settings as the default values that Azure provides.
• I’m enabling VNet Integration on my Azure Function App.
  • Going to my Azure Function App, then to the Networking (preview) page.
  • In the Networking (preview) page, I would click on the VNet Integration option. There, I would connect the Virtual Network I just created.
• I would connect my Azure Function App with a git repo of mine.
  • On my Azure Function App, I would go to the Deployment Center; there, I would connect my git repository.
  • More information on my git repository below.
  • Once my git repository is configured, I would click the Sync button.
• At this point, I would wait for the Azure Function to deploy from my repository.
  • In the meantime, I would read the logs until I detected my code was released.
  • I would confirm that my function was deployed correctly by going to the Functions tab on my Azure Function App on the portal.
• Once my function is deployed, I would run it.
  • I would go to my deployed function, click on the Get Function Url button, then go to that Url on a separate browser tab.
  • On a different browser tab, I would monitor the logs to confirm that the console.log entries in my function would log the results I am expecting.

Following those steps, I am able to see the authentication happening.

Let me provide you the code from my repository:

The folder structure:

repository-folder/
  package.json
  package-lock.json
  host.json
  MyFunction/
    function.json
    index.js

The package.json file:

{
  "name": "my-azure-function",
  "version": "1.0.0",
  "description": "",
  "scripts": {
    "start": "func start",
  },
  "dependencies": {
    "@azure/identity": "^1.3.0",
  }
}

The package-lock.json would be the one generated by NPM when running npm install locally.

The host.json file would contain:

{
  "version": "2.0",
  "logging": {
    "applicationInsights": {
      "samplingSettings": {
        "isEnabled": true,
        "excludedTypes": "Request"
      }
    }
  },
  "extensionBundle": {
    "id": "Microsoft.Azure.Functions.ExtensionBundle",
    "version": "[1.*, 2.0.0)"
  }
}

The function.json file in the MyFunction folder would contain:

{
  "bindings": [
    {
      "authLevel": "anonymous",
      "type": "httpTrigger",
      "direction": "in",
      "name": "req",
      "methods": [
        "get",
        "post"
      ]
    },
    {
      "type": "http",
      "direction": "out",
      "name": "res"
    }
  ]
}

The index.js file in the MyFunction folder would contain:

const identity = require("@azure/identity");

module.exports = async function (context, req) {
  context.log("JavaScript HTTP trigger function processed a request.");

  process.env.AZURE_LOG_LEVEL = "verbose";
  let totalTokensFound = 0;

  console.log(`Trying the DefaultAzureCredential without parameters`);
  try {
    const credential = new identity.DefaultAzureCredential();
    const result = await credential.getToken("https://graph.microsoft.com/.default"));
    if (result && result.token) {
      totalTokensFound++;
    }
  } catch (e) {
    console.log(`DefaultAzureCredential without parameters error`, e);
  }

  console.log(`Total tokens found: ${totalTokensFound}`);

  console.log(`Trying the ManagedIdentityCredential without parameters`);
  try {
    const credential = new identity.ManagedIdentityCredential();
    const result = credential.getToken("https://graph.microsoft.com/.default"));
    if (result && result.token) {
      totalTokensFound++;
    }
  } catch (e) {
    console.log(`ManagedIdentityCredential without parameters error`, e);
  }
  console.log(`Total tokens found: ${totalTokensFound}`);

  context.res = {
    // status: 200, /* Defaults to 200 */
    body: "This HTTP triggered function executed successfully.",
  };
};

Following those steps, I’m able to see logs that confirm to me that the tokens have been retrieved. I can also see those tokens if I change the logs to print the getToken results in full.

Is there anything in my approach that is fundamentally different from your approach?

Thank you for your time,

[sadasant]

@aangelisc Just an update: I’ve reached out to my team and they report the same results as I do.

[aangelisc]

Hi @sadasant,

Thanks for the above. To clarify - were you also routing all traffic via the VNet? We are using the WEBSITE_VNET_ROUTE_ALL flag and also the WEBSITE_DNS_SERVER (set to 168.63.129.16). I expect this may be different from your setup which could be what is causing us an issue?

[sadasant]

@aangelisc thank you Andreas! I will follow up on your feedback this week. Thank you so much for your response. Please give me a bit of time to catch up.

[sadasant]

@aangelisc I have configured both settings (WEBSITE_VNET_ROUTE_ALL to 1 and WEBSITE_DNS_SERVER to 168.63.129.16) and I still get a token. I will try several times more between today and tomorrow, and I’ll ask someone else to help me understand what’s going on. Thank you for your patience.

[sadasant]

@aangelisc if you can help us debug this, do you mind setting this environment variable AZURE_LOG_LEVEL to verbose? to see if you can spot some more information

[sadasant]

@aangelisc if possible, try the steps I shared above, on #16175 (comment), plus also setting WEBSITE_VNET_ROUTE_ALL to 1 and WEBSITE_DNS_SERVER to 168.63.129.16. Please let me know if you can spot something I’m doing differently.

[aangelisc]

Hi @sadasant, thank you for the quick response - I'll give this a go as soon as I get the chance!

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!