Reputation: 675
DefaultAzureCredentials fails to pickup credentials in MangedIdentity AKS
Based on the documentation given here . When using DefaultAzureCredentials() it will check for environment variables then ManagedIdentity and so on. In my test, I have deployed system Managed Service Identity AKS. I have deployed a c# application that tries to connect to Keyvault via application using the below code
var keyClient = new KeyClient(vaultUri: new Uri(keyVaultUrl),
credential: new DefaultAzureCredential(true));
Response<KeyVaultKey> response = keyClient.GetKey("somekey");
On deploying my application to the AKS cluster, it fails with the below error -
Unhandled exception. Azure.Identity.AuthenticationFailedException: DefaultAzureCredential failed to retrieve a token from the included credentials.
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
- ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)
Content:
{"error":"invalid_request","error_description":"Identity not found"}
Based on the documentation my application should have picked up the managed identity from AKS cluster and be able to connect with Keyvault to fetch the values. But for some reason its throwing this error. Please could someone guide me if I m missing something.
Upvotes: 2
Views: 4210
Answers (1)
Reputation: 3569
Managed identity used to create the AKS cluster is for the control plane and not your worker nodes or applications. Control plane uses that managed identity to create requested cloud resources like load balancer, scale-sets, routes, and other. If you want your applications to use a managed identity, recommend approach is to deploy aad-pod-identities which gives you app level authorization scheme. Alternatively, you can also enable managed identity for the VMSS based node-pools. In the later case, Azure will create a new system managed identity for the node-pool with the same name and you can use that to establish authorization between KeyVault or other services.
Upvotes: 5
Related Questions
- Azure Kubernetes Error when running "az aks get-credentials" command
- Managed service identity must be configured to use authentication-token policy
- Odd DefaultAzureCredential Behavior
- DefaultAzureCredential Failing for console app after redirect to localhost -localhost sent invalid response
- How to use DefaultAzureCredential in both local and hosted Environment (Azure and On-Premise) to access Azure Key Vault?
- Unable to create Azure AKS Container Service with Managed Identity using ARM template
- Set-AzApiManagement with -UserAssignedIdentity is giving Bad Request
- Azure managed identity error - Could not find identity for access token
- Azure - Accessing Key Vault using User Managed Identity in Java Spring Boot : Error Details: ManagedIdentityCredential authentication unavailable?
- Azure error: DefaultAzureCredential authentication failed