Reputation: 864
Azure Managed Identity Token couldn't produce from local
This is a continuation of the ticket Restrict Access with Azure Managed Identity in .NET Core Web API where I configured a .NET Core Web API to secured with user-assigned Azurre Managed Identity. This Web API has been deployed as https://epd-api.azurewebsites.net.
Now I have a locally running/debugging .NET Core WebApp trying to access the managed identity token for above azue deployed Web API as below.
string userAssignedClientId = "<<managed-identity clientid>>";
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId=userAssignedClientId });
var accessToken = await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://epd-api.azurewebsites.net/.default" }));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken.Token);
It's breaking at line 'credential.GetTokenAsync()' with below exceptionn message.
AuthenticationFailedException: Azure CLI authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azclicredential/troubleshoot ERROR: The command failed with an unexpected error. Here is the traceback: ERROR: Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://epd-api.azurewebsites.net was not found in the tenant named DXC Production. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b537e8c2-c1a8-44ff-a363-d162cd15e101\r\nCorrelation ID: 507df083-138c-4848-b446-40631732a181\r\nTimestamp: 2022-09-13 06:52:22Z","error_codes":[500011],"timestamp":"2022-09-13 06:52:22Z","trace_id":"b537e8c2-c1a8-44ff-a363-d162cd15e101","correlation_id":"507df083-138c-4848-b446-40631732a181","error_uri":"https://login.microsoftonline.com/error?code=500011"} Traceback (most recent call last):
Once I deployed my Web APP in Azure, the error message is different as below.
Connection ID "15636497907840976997", Request ID "80000866-0000-d900-b63f-84710c7967bb": An unhandled exception was thrown by the application.
Exception: Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 500 (Internal Server Error)
Content:
Headers: Date: Tue, 13 Sep 2022 07:39:11 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ---> Azure.RequestFailedException: Service request failed. Status: 500 (Internal Server Error)
Content:
Headers: Date: Tue, 13 Sep 2022 07:39:11 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8
at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at ManagedIdentityWeb.Pages.IndexModel.OnGetAsync() in C:\Users\jmathews4\Source\Repos\ManagedIdentityAPI\ManagedIdentityWeb\Pages\Index.cshtml.cs:line 36 at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.NonGenericTaskHandlerMethod.Execute(Object receiver, Object[] arguments) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT`1.ProcessRequestAsync()
Any clue here for troubleshoot?
Upvotes: 1
Views: 1423
Answers (1)
Reputation: 58733
It's trying to use the AZ CLI there and its refresh token has expired. Run az login again in the command line and try again.
Upvotes: 1
Related Questions
- How to debug Bearer error="invalid_token"
- Managed service identity must be configured to use authentication-token policy
- ASP.Net WebApi Key Vault configBuilders fail to process
- Azure managed identity error - Could not find identity for access token
- azure .net core app with IS4: web api call fails with "Bearer error=invalid_token The issuer is invalid"
- Error when trying to get token using Managed Service Identity in a multi-container azure web app service
- Invalid Signature when generate bearer token
- .NetCore API fails to get token from Azure CLI using MSI
- Bearer error="invalid_token", error_description="The signature is invalid"
- IdentityServer4 invalid_token "The issuer is invalid" on Azure, working on localhost