Reputation: 349
Managed service identity must be configured to use authentication-token policy
I'm trying to get my backend API to authenticate that requests are from Azure APIM using managed identities, previously this was done with certificate authentication but for various reasons I'm looking to change that.
When I make requests to the APIM, I get the following error in application insights.
Managed service identity must be configured to use authentication-token policy.
In the backend I'm using Owin's Windows Azure Active Directory Bearer Authentication.
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = "https://tennant.co.uk/AzureADDAuth",
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = "11111111-1111-1111-1111-111111111111"
},
});
In the APIM the inbound policy is as follows
<authentication-managed-identity resource="https://tennant.co.uk/AzureAADAuth" client-id="11111111-1111-1111-1111-111111111111" output-token-variable-name="msi-access-token" ignore-error="false" />
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
</set-header>
I find the error message quite vague though and I've not found any help online so I'm not sure what I need to do to set up this configuration. I've looked through several docs and blog posts on this topic and can't find anything about what to change in the Azure Active Directory. If you could point me in the right direct I'd appreciate it.
Upvotes: 2
Views: 3031
Answers (2)
Reputation: 11
What you did is just a workaround. You changed from user managed identity to system managed identity. If you rather wanted to make it work with user managed identity, you would need to
- Go to api management service on azure portal.
- Click on "Managed identities" tab under security settings on left pane.
- It will show you system assigned and user assigned managed identity you have currently configured for this api management service.
- Go to user assigned tab and add the identity which is giving you error(the one corresponding to client-id="11111111-1111-1111-1111-111111111111" from your example code)
Upvotes: 1
Reputation: 349
I fixed this by removing the client id from the APIM inbound policy.
Upvotes: 2
Related Questions
- Azure Managed Identity Token couldn't produce from local
- Using Managed Identity in Azure Pipelines: GetUserAccessToken: Failed to obtain an access token of identity. AAD returned silent failure
- Trying to use Managed Identity with Azure Service Bus
- Microsoft Azure Cloud service management API fails with 401: Unauthorized error?
- Azure managed identity error - Could not find identity for access token
- How do you get a token for an azure managed identity via REST interface?
- How do I specify a user-assigned managed identity in Azure API Management
- Error when trying to get token using Managed Service Identity in a multi-container azure web app service
- I'm having problems authenticating with Managed Service Identity to an Azure App Service secured with AAD
- Azure API Management + Service Bus topic : Error 40104: Invalid authorization token audience