0

I'm running two containers with docker-compose in App Service.

The containers are granted get/list permissions for secrets & certificates for my KeyVault, but I'm not able to access them (or any other Azure Resource in my Subscription) with the SDK.

I'm using the Node SDK, which looks like that (nothing special here):

import { SecretClient } from '@azure/keyvault-secrets'; import { DefaultAzureCredential } from '@azure/identity'; // ... const keyVaultClient = new SecretClient( `https://<key-vault-name>.vault.azure.net`, new DefaultAzureCredential() ) await this.keyVaultClient.getSecret('<some-secret>');

First, I've got Azure CLI could not be found.

So I installed the Azure CLI in my container, which led me to Please run 'az login' from a command prompt to authenticate before using this credential.

The documentation says that DefaultAzureCredential should work out for most services, as it tries out all available credentials one after the other.

What am I missing?

Edit 1: one step further, after using AZURE_LOG_LEVEL=verbose

2021-12-07T08:13:31.661891058Z azure:identity:info ManagedIdentityCredential - Fabric MSI => ManagedIdentityCredential - Fabric MSI: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT 2021-12-07T08:13:31.670324114Z azure:identity:info ManagedIdentityCredential - AppServiceMSI 2017 => ManagedIdentityCredential - AppServiceMSI 2017: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET. 2021-12-07T08:13:31.670736112Z azure:identity:info ManagedIdentityCredential - CloudShellMSI => ManagedIdentityCredential - CloudShellMSI: Unavailable. The environment variable MSI_ENDPOINT is needed. 2021-12-07T08:13:31.671181710Z azure:identity:info ManagedIdentityCredential - Azure Arc MSI => ManagedIdentityCredential - Azure Arc MSI: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT 2021-12-07T08:13:31.671509608Z azure:identity:info ManagedIdentityCredential - Token Exchange => ManagedIdentityCredential - Token Exchange: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE

Edit 2: passed down MSI_ENDPOINT & MSI_SECRET via docker-compose, but it's empty in my container then.

If I look at Kudu, it shows me that they are populated though.

MSI_ENDPOINT = [Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.] MSI_SECRET = [Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]

Edit 3: related Question: Azure Managed Service Identity endpoint missing in App Service for Containers

Improve this question
9
  • 1
    When you say "The containers are granted get/list permissions for secrets & certificates for my KeyVault" do you mean the Managed Identity of the App Service has the get/list permission or something else? What might also give you some more insight is by viewing the log stream/container logs for your App Service. Commented Dec 7, 2021 at 8:13
  • Yes, exactly Matt. The container logs currently just error out with the 'Please run az login' message, which tells me that all the other credentials are not working. I've just found out about AZURE_LOG_LEVEL=verbose and hope that this will give me some insights. Commented Dec 7, 2021 at 8:16
  • 1
    Interesting, one thing you could try in order to isolate the problem further would be to configure some application settings against your Web App that use Key Vault references, if that works (you get a green tick) then your permissions set up between you App Service and Key Vault is fine and the issue resides inside your containers, if is doesn't then it's a permissions issue. Commented Dec 7, 2021 at 8:22
  • 1
    Regarding DefaultAzureCredentials, it is worthwhile reviewing how it functions under the hood if you have not already. Are you able to successfully run your container locally and access the secrets? If so, what is the difference in permissions between the identity you use locally (assuming it's your own account) and the Managed Identity? Commented Dec 7, 2021 at 8:24
  • 1
    No problem, I'm glad I could be your rubber duck! Good luck. :-) Commented Dec 7, 2021 at 8:30

1 Answer 1

Reset to default
0

Seems like Managed Identities are not supported by Multi Container Apps in App Service.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.