question

Lior-0342 avatar image
0 Votes"
Lior-0342 asked ArpitJain-5860 commented

ManagedIdentityCredential authentication unavailable, no managed identity endpoint found

Im trying to allow an app service (python web app) to get secrets from azure keyvault without the usage of hardcoded client id/secrets, therefore I`m trying to use ManagedIdentity.

I have enabled system & user assigned functions in my service app
I have created a policy in vault where the service app is granted access to the secrets

code:

 credentials_object = ManagedIdentityCredential()
 client = SecretClient(vault_url=VAULT_URL, credential=credentials_object)
 value = client.get_secret('MYKEY').value


error (when app is deployed and when running locally):
azure.identity._exceptions.CredentialUnavailableError: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.

What am I missing? Thank you!


azure-managed-identity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I am also facing similar error and not found any solution.
Source: - Batch pool ,
Trying to connect Azure key vault using batch pool .
It was successful using service principle , but when using managed identity its failing .
Error: -

====
ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable. No identity has been assigned to this resource.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable. No identity has been assigned to this resource.
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/azure/identity/_credentials/imds.py", line 97, in _request_token
token = self._client.request_token(*scopes, headers={"Metadata": "true"})
File "/usr/local/lib/python3.6/site-packages/azure/identity/_internal/managed_identity_client.py", line 126, in request_token
token = self._process_response(response, request_time)
File "/usr/local/lib/python3.6/site-packages/azure/identity/_internal/managed_identity_client.py", line 68, in _process_response
message='Unexpected response "{}"'.format(content), response=response.http_response
azure.core.exceptions.ClientAuthenticationError: Unexpected response "{'error': 'invalid_request', 'error_description': 'Identity not found'}"
Content: {"error":"invalid_request","error_description":"Identity not found"}
===========



0 Votes 0 ·
SaurabhSharma-msft avatar image
2 Votes"
SaurabhSharma-msft answered SaurabhSharma-msft edited

Hi @lior-0342,

Thanks for using Microsoft Q&A !!
If you are running from your local development environment then the code try to access Azure key vault using developer context and not the managed identity (which is available in Azure) and thus you are getting this error as you need to grant yourself(or the user you are using to access the key vault) permissions to access the key vault to test in your local environment.
Please try running the same after deploying it to Azure app service. You can also refer to this Python sample to get the steps to test your code in your local environment without using managed identity. This code use function get_key_vault_credentials to use the environment variables if MSI Authentication is unsuccessful.

Please let me know if you have any other questions.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Thanks
Saurabh

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey, thank you for answering!

Indeed I tried deploying and running it, it did not work, and I got this error.

I'm trying to understand if ManagedIdentityCredential() is all I need, or if the usage of another package is required?

Moreover, I did not test it locally with env variables, but with hard coded variables (client Id, secret, tenant) and it worked.
Of course, in prod I don't want to use these variables, hard coded or as env variables :) therefore I'm trying to use ManagedIdentity.

Thanks for your help,
Lior

0 Votes 0 ·

@lior-0342 yeah makes sense. I am checking on the same if any other package is required.

0 Votes 0 ·

Am facing the same issue after deploying to Azure @SaurabhSharma-msft .. please advice

0 Votes 0 ·

Hi, Saurabh.

I'm having a similar issue that may be related to this one.

My App Service uses a custom Docker container. If I specify a single container from the App Service | Deployment Center, the IDENTITY_ENDPOINT, IDENTITY_HEADER, MSI_ENDPOINT and MSI_SECRET are all properly inserted into my apps environmental variables.

However, if I specify Docker-Compose (Preview) from the App Service | Deployment Center, with the same Docker image specified in the compose file, then the managed identity environmental variables are not inserted into my apps environmental variables.

In both cases, Kudu Environment shows the following:

IDENTITY_ENDPOINT = [Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_HEADER = [same as above]
MSI_ENDPOINT = [same as above]
MSI_SECRET = [same as above]

But using Docker-Compose is somehow preventing them from actually being set within the container.

Jerome

0 Votes 0 ·

Hi, any advice?
I have the same issue when making Docker compose multicontainer app with net core 3.1


0 Votes 0 ·
Lior-0342 avatar image
1 Vote"
Lior-0342 answered

Im still trying to figure it out, looks like everything is set up correctly and still I get "ManagedIdentityCredential authentication unavailable, no managed identity endpoint found"

@SaurabhSharma-msft and @VigneshRajaram-0068 - please let me know if you figure this up

Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SachinYaduwanshi-9560 avatar image
0 Votes"
SachinYaduwanshi-9560 answered SaurabhSharma-msft commented

I am trying to access storage blob from azure function using UserManaged identity. have followed exact same steps mentioned in "https://www.youtube.com/watch?v=vYUKC0mZFqI".

When I try to debug from my local I get below error. I have signin to Visual Studio and I have admin access to resources.

DefaultAzureCredential failed to retrieve a token from the included credentials.
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
- ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
- Process "C:\Program Files\Microsoft Visual Studio\2022\Preview\Common7\IDE\Extensions\3fhsnrhg.f0v\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, Could not load file or assembly 'Microsoft.VisualStudio.Validation, Version=16.8.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040).
- Stored credentials not found. Need to authenticate user in VSCode Azure Account.
- Azure CLI not installed
- PowerShell is not installed.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SachinYaduwanshi-9560 Please check your developer environment you need to make sure you are logged in into Visual Studio with account that has the proper rights within Azure as local environment will not have your user managed identity.
122790-image.png

Thanks
Saurabh

0 Votes 0 ·
image.png (20.4 KiB)