Reputation: 33306
Error when trying to get token using Managed Service Identity in a multi-container azure web app service
We have the following scenario:
Current working setup
- Web API project using a single DockerFile
- A release pipe line with an 'Azure App Service deploy' task.
Proposed new setup
- Web API project using multi container Docker Compose file
- A release pipe line with an 'Azure Web App for Containers' task.
Upon deploying the new setup we receive the below error message:
ERROR - multi-container unit was not started successfully
Unhandled exception. System.AggregateException: One or more errors occurred.
(Parameters: Connection String: XXX, Resource: https://vault.azure.net, Authority:
https://login.windows.net/xxxxx. Exception Message:
Tried to get token using Managed Service Identity.
Access token could not be acquired. Connection refused)
The exception thrown is because it can't connect to Azure MSI (Managed Service Identity). It does this to obtain a token before connecting to key vault.
I have tried the following based upon some research and solutions others have found:
- Connecting with
"RunAs=App"(this seems to be the default parameter-less constructor anyway) - Building up the connection string myself manually by pulling the
"MSI_SECRET"environment variable from the machine. This is always blank. - Restarting MSI.
- Upgrading and downgrading
AppAuthenticationpackage
MSI appears to be configured correctly as it works perfectly with our current working setup so we can rule that out. It's worth noting that this is System assigned identity not a user assigned one.
The documentation that states which services support managed identites only mentions 'Azure Container Instances' not 'Azure Managed Container Instances' and that is for Linux/Preview too so that it could be not supported.
Services that support managed identities for Azure resources
We've spent a considerable amount of time getting to this point with the configuration and deployment and it would be great if we could resolve this last issue.
Any help appreciated.
Upvotes: 0
Views: 1024
Answers (1)
Reputation: 96
Unfortunately, there currently is no multi-container support for managed identities. The multi-container feature is in preview and so does not have all its functionality working yet.
However, the documentation you linked to is also not as clear about the supported scenarios, so I am working on getting this documentation updated to better clarify this. I can update this answer once that's done.
Upvotes: 2
Related Questions
- Managed service identity must be configured to use authentication-token policy
- Can't use Managed Service identity (MSI) for App Service deployment with hosted Microsoft agent
- Azure Managed Identity Token couldn't produce from local
- Using Managed Identity in Azure Pipelines: GetUserAccessToken: Failed to obtain an access token of identity. AAD returned silent failure
- Multicontainer Azure WebApp not working with Managed Identity
- Azure managed identity error - Could not find identity for access token
- Using Azure Web App for Containers with managed identity
- azure .net core app with IS4: web api call fails with "Bearer error=invalid_token The issuer is invalid"
- Could not fetch access token for Managed Service Principal During DevOps Implementation
- Azure Managed Service Identity endpoint missing in App Service for Containers