Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Occasional ManagedIdentity failures #45305

Closed
garrettlondon1 opened this issue Aug 1, 2024 · 10 comments
Closed

[BUG] Occasional ManagedIdentity failures #45305

garrettlondon1 opened this issue Aug 1, 2024 · 10 comments
Assignees
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@garrettlondon1
Copy link

garrettlondon1 commented Aug 1, 2024

Library name and version

Azure.Storage.Blobs" Version="12.20.0"

Describe the bug

When using Managed Identity credential and RBAC, the app running on Azure App Service has the correct credentials and network connections.

The application will succeed and get all data from blob storage, but somewhere in the middle when the application is running, Managed Identity fails and gets a bad token.

This happens intermittently, but the problem is not resolved until app is restarted

services.AddAzureClients(x =>
        {
            if (EnvironmentEx.IsOffline)
            {
                x.AddBlobServiceClient("UseDevelopmentStorage=true");
            }
            else
            {
                x.AddBlobServiceClient(new Uri(config["ApplicationConfiguration:BlobUrl"] ?? throw new Exception("BlobUrl is missing")));
                x.UseCredential(EnvironmentEx.IsDevelopment ? new AzureCliCredential() : new ManagedIdentityCredential());
            }
        });
ManagedIdentityCredential.GetToken invoked. Scopes: [ https://storage.azure.com//.default ] ParentRequestId: 7cb8a1ff-5041-46aa-a693-dcb04a13f0e1
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:08:02Z - d196e687-f152-46b0-bee9-d4bbcd4454ae] MSAL MSAL.NetCore with assembly version '4.61.3.0'. CorrelationId(d196e687-f152-46b0-bee9-d4bbcd4454ae)
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:08:02Z - d196e687-f152-46b0-bee9-d4bbcd4454ae] === AcquireTokenForClientParameters === SendX5C: False ForceRefresh: False
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:08:02Z - d196e687-f152-46b0-bee9-d4bbcd4454ae] === Request Data === Authority Provided? - True Scopes - https://storage.azure.com//.default Extra Query Params Keys (space separated) - ApiId - AcquireTokenForClient IsConfidentialClient - True SendX5C - False LoginHint ? False IsBrokerConfigured - False HomeAccountId - False CorrelationId - d196e687-f152-46b0-bee9-d4bbcd4454ae UserAssertion set: False LongRunningOboCacheKey set: False Region configured:
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:08:02Z - d196e687-f152-46b0-bee9-d4bbcd4454ae] === Token Acquisition (ClientCredentialRequest) started: Scopes: https://storage.azure.com//.default Authority Host: login.microsoftonline.com
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:08:02Z - d196e687-f152-46b0-bee9-d4bbcd4454ae] [Region discovery] Not using a regional authority.
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:08:02Z - d196e687-f152-46b0-bee9-d4bbcd4454ae] Skipping Instance discovery for Aad authority because it is not enabled.
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:08:02Z - d196e687-f152-46b0-bee9-d4bbcd4454ae] Fetched access token from host login.microsoftonline.com.
ManagedIdentityCredential.GetToken invoked. Scopes: [ https://storage.azure.com//.default ] ParentRequestId: 8755a181-7153-469f-82a8-3e8d354f56f9
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] MSAL MSAL.NetCore with assembly version '4.61.3.0'. CorrelationId(66d07183-a899-497d-8435-ea84f6ce7862)
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] === AcquireTokenForClientParameters === SendX5C: False ForceRefresh: False
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] === Request Data === Authority Provided? - True Scopes - https://storage.azure.com//.default Extra Query Params Keys (space separated) - ApiId - AcquireTokenForClient IsConfidentialClient - True SendX5C - False LoginHint ? False IsBrokerConfigured - False HomeAccountId - False CorrelationId - 66d07183-a899-497d-8435-ea84f6ce7862 UserAssertion set: False LongRunningOboCacheKey set: False Region configured:
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] === Token Acquisition (ClientCredentialRequest) started: Scopes: https://storage.azure.com//.default Authority Host: login.microsoftonline.com
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] [Region discovery] Not using a regional authority.
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] [Instance Discovery] Skipping Instance discovery because it is disabled.
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] [ClientCredentialRequest] Acquiring a token from the token provider.
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] Checking client info returned from the server..
False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.6 Microsoft Windows 10.0.20348 [2024-08-01 13:14:32Z - 66d07183-a899-497d-8435-ea84f6ce7862] Saving token response to cache..

Expected behavior

Managed Identity credential consistently works on App Service

Actual behavior

Managed Identity disconnects and fails to make calls to blob gateway

Reproduction Steps

services.AddAzureClients(x =>
        {
            if (EnvironmentEx.IsOffline)
            {
                x.AddBlobServiceClient("UseDevelopmentStorage=true");
            }
            else
            {
                x.AddBlobServiceClient(new Uri(config["ApplicationConfiguration:BlobUrl"] ?? throw new Exception("BlobUrl is missing")));
                x.UseCredential(EnvironmentEx.IsDevelopment ? new AzureCliCredential() : new ManagedIdentityCredential());
            }
        });

Environment

No response

@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 1, 2024
Copy link

github-actions bot commented Aug 1, 2024

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@christothes
Copy link
Member

Hi @garrettlondon1

but somewhere in the middle when the application is running, Managed Identity fails and gets a bad token.

What error or logging are you seeing that indicates that the managed identity is failing and that a bad token is received?

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Aug 16, 2024
Copy link

Hi @garrettlondon1. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@github-actions github-actions bot removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Aug 16, 2024
@garrettlondon1
Copy link
Author

Hey @christothes , I apologize, I do not have any errors or logs indicating that managed identity is failing, and a bad token is received, specifically.

All resources from blob storage cannot be loaded, and when the App Service is restarted, everything works again instantly. I've reproduced it probably 5+ times.

I know for certain that the App service has access to the storage account because the same storage account hosts the zip file which powers the app service deployment via private endpoint

This is on an "always on" app service, blazor server monolith, using the absolute default managed identity setup

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Aug 17, 2024
@christothes
Copy link
Member

Does your service hang or does it continue to be responsive after the problem? Is the request to storage still occurring after the problem? If so, what is the response from the service?

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Aug 20, 2024
Copy link

Hi @garrettlondon1. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@github-actions github-actions bot removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Aug 20, 2024
@garrettlondon1
Copy link
Author

The service completely hangs, although I will say on "12.21.1" version, have not encountered in 6+ days

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Aug 20, 2024
@christothes
Copy link
Member

That makes sense - I think the issue won't reproduce on 12.21.1 or later. This is due to a fix in one of its dependencies in Azure.Core that was shipped in version 1.41.0. The fix is here

@christothes christothes added the issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. label Aug 20, 2024
@github-actions github-actions bot removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Aug 20, 2024
Copy link

Hi @garrettlondon1. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

Copy link

Hi @garrettlondon1, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.

@github-actions github-actions bot locked and limited conversation to collaborators Nov 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Development

No branches or pull requests

2 participants