question

EspenJohannessen-7963 avatar image
0 Votes"
EspenJohannessen-7963 asked SteveDown-4800 commented

Using DefaultAzureCredentials on console app in development environment

We are having issues when developing code that uses the DefaultAzureCredential class when connecting to storage account blobs among other Azure services from our local machines.

It works fine when deployed to Azure, but on our local machines in our development environment a call like this...

 BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(storageAccountUrl), new DefaultAzureCredential());

...just hangs and eventually does a timeout with an exception saying

{"ManagedIdentityCredential authentication failed."} with an 504 error

I know this credential uses a prioritized "pecking order" to try different credentials (https://docs.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme), so we tried disabling the two first in the chain. This made things work and we were able to login:

 var credentialOptions = new DefaultAzureCredentialOptions();
 if (ConfigurationManager.AppSettings["IsDevelopmentEnvironment"].Equals("true"))
 {
         credentialOptions.ExcludeEnvironmentCredential = true;
         credentialOptions.ExcludeManagedIdentityCredential = true;
  }
    
  BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(storageAccountUrl), new DefaultAzureCredential(credentialOptions));


But we should not need to have code like this, and this will prevent the app from working in Azure. This contradicts the whole point of this class.

Does anyone have insight into how we can make this work more seamless in our development environment?

azure-ad-libraries
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @espenjohannessen-7963, please collect a fiddler trace to see what endpoint is timing out and share it here.

1 Vote 1 ·

Are there any updates to this question? I'm encountering it now, some 8 months later.

0 Votes 0 ·

1 Answer

EspenJohannessen-7963 avatar image
0 Votes"
EspenJohannessen-7963 answered alfredorevilla-msft commented

anonymous user-msft I see in Fiddler that there are four requests like the one described under going before the code gives up and gives an exception:

 GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fxxx-xxxx-xxxxx.azconfig.io HTTP/1.1
 Metadata: true
 x-ms-client-request-id: 6700f178-af2e-4792-9a2f-5f43c382c216
 x-ms-return-client-request-id: true
 User-Agent: azsdk-net-Identity/1.1.1 (.NET Framework 4.8.4250.0; Microsoft Windows 10.0.19041 )
 Request-Id: |ce277704-41db6514f91cf479.
 Host: 169.254.169.254
 Connection: Keep-Alive

The reponse is:

 <html><head><title>504 Gateway Timeout</title></head>
 <body><h1>Gateway Timeout</h1>
 <p>Server error - server 169.254.169.254 is unreachable at this moment.<br><br>Please retry the request or contact your administrator.<br></p>
 <!--Zscaler/6.0--></body></html>

When running the code with the workaround explained above I only see calls to login.microsoft.com.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@espenjohannessen-7963 what resource is your code running on? Has managed identity being enabled?

0 Votes 0 ·

My code is running on a .NET 4.8 console app as a webjob.

if I use:

 new ManagedIdentityCredential("xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxx")

....when creating the blob client everything works fine in Azure (but ofc not in dev locally). The call above then contains the clientid of the managed identity that the app service is configured with under Identity -> User Assigned. This identity of course has access to blob storage and other resources is accesses.

I see there is some option to define ChainedTokenCredentials. I can try if this works better.

0 Votes 0 ·

Have you tried with the parameterless constructor? new ManagedIdentityCredential(). This should not have anything to do with the 504 but just in case. In the meantime I will reach the product team and ask them about what may be causing this.

1 Vote 1 ·
Show more comments