question

RickyBansal-3687 avatar image
0 Votes"
RickyBansal-3687 asked JamesTran-MSFT answered

Key Vault extension for windows failure : multiple managed identities exist

Key Vault extension for windows fails with timeout and error :

MSI URL: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&authority=https://login.windows.net/cdc5aeea-15c5-4db6-b079-fcadd2505dc2&resource=https://vault.azure.net
2021-09-02 11:11:55: <error> [MSIAuthClient] failed to retrieve MSI token from response: {"error":"invalid_request","error_description":"Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request"}

I have already specified the parameter msiClientId in the authenticationSettings field but it still fails with the same error.

azure-key-vaultazure-managed-identityazure-service-fabricazure-virtual-machines-extension
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@RickyBansal-3687
Thank you for your post!

When it comes to your error message, have you tried specifying the MSI using either msiClientId or msiObjectId for the extension:

         "settings": {
             "secretsManagementSettings": {
                 "pollingIntervalInS": "14400",
                 "certificateStoreName": "MY",
                 "linkOnRenewal": true,
                 "certificateStoreLocation": "LocalMachine",
                 "requireInitialSync": true,
                 "observedCertificates": [
                     "<certificate url 1>",
                     "<certificate url 2>"
                 ]
             },
             "authenticationSettings": {
                 "msiEndpoint": "http://169.254.169.254/metadata/identity",
                 "msiClientId": "<msi ClientId> e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619""
             }
         }

For more info - KV extension for windows doesn't work well if multiple MSI assigned


Additional Links:
Key Vault virtual machine extension for Windows
How to use managed identities for Azure resources on an Azure VM to acquire an access token
Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request
Multiple assigned identities issue



If you have any other questions or are still running into this issue, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.