Getting an error while retrieving a blob using user assigned managed identity

Question

We have a C# code which used to retrieve a blob from storage account. The authentication is done using user assigned service principal. These things works till December. But now we are getting some weird error as follows.

ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)
Content:
{"error":"invalid_request","error_description":"Identity not found"}

The managed identity has storage data blob contributor access in the storage account.

Attaching the code for reference:

public static async Task<string> GetBlobAsync()
    {
        string storageName = "storage account name";


        Uri blobUri = new Uri("blob uri");


        TokenCredential cred = new ManagedIdentityCredential("client id");


        var blobClient = new BlobClient(blobUri, cred, null);

        try
        {

            var downloadInfo = await blobClient.DownloadAsync();
            using (TextReader reader = new StreamReader(downloadInfo.Value.Content))
            {
                string metadataBlob = await reader.ReadToEndAsync();

                return metadataBlob;
            }
        }
        catch (Exception e)
        {
            Console.WriteLine(e.Message);
            Console.WriteLine("");
            return null;
        }

P:S: the three environmental variables such as app id, app secret and tenant id are correct.

I have been stuck here for almost a month. Nothing works.

Answer 1

Try this

Uri blobUri = new Uri("blob uri");

var cred = new DefaultAzureCredential(
    new DefaultAzureCredentialOptions { 
           ManagedIdentityClientId = "your client id" });

var blobClient = new BlobClient(blobUri, cred, null);

ref: https://learn.microsoft.com/pt-br/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet

Option 2 (work for me)

1. Create Identity and add in app service

2. Assign RBAC "Storage Blob Data Contributor" to your storage resource.

3. Add Key AZURE_CLIENT_ID (clientid of the identity that was created) in Environment App Service

4. Code to access blob (you don't need to specify client id in the code because it will use the AZURE_CLIENT_ID configured in the AppService)

app.MapGet("/read", async () =>
{
    Uri blobUri = new Uri("https://xxxx.blob.core.windows.net/texts/text.txt");

    var cred = new DefaultAzureCredential();

    var blobClient = new BlobClient(blobUri, cred, null);


    var downloadInfo = await blobClient.DownloadAsync();
    using (TextReader reader = new StreamReader(downloadInfo.Value.Content))
    {
        string metadataBlob = await reader.ReadToEndAsync();

        return metadataBlob;
    }

});

5. Result print

Answer 2

This document demonstrates how to use managed identity to access App Configuration from App Service, but you can replace the App Service with any other Azure services that support managed identity. https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity

Here are a few things I'd like to call out

Make sure the managed identity is enabled in the Azure service where your application runs. When you are using system assigned managed identity, you don't need to provide the client Id. You only need to provide the client Id when you use user assigned managed identity. Make sure the managed identity is granted either App Configuration Data Reader or App Configuration Data Owner role in the access control of your App Configuration instance. Wait for at least 15 minutes after the role assignment for the permission to propagate. Managed identity can ONLY work when your code is running in the Azure service. It will NOT work when running locally