-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available. #40090
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
Changed the code like this - Still getting error like this - Can you pls confirm if this is a bug in the SDK that needs to be fixed. Is there an alternate way to fetch AAD Token for workload identity? |
At the moment, this is blocking me to implement workload identity. |
Hello! Can you help me understand the scenario? Generally these credentials are used in the context of one of our service clients (such as |
Hi,
I need to use the workload identity flow with Azure database for MySQL
single server. I don't need to use the vault as it is not a requirement for
us.
I have followed the steps as listed in this microsoft documentation
https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster
.
Following is the code I am using to fetch AAD token -
Map<String, String> env = System.*getenv*();
String tenantId = env.get("AZURE_TENANT_ID");
String clientId = env.get("AZURE_CLIENT_ID");
String tokenFile = env.get("AZURE_FEDERATED_TOKEN_FILE");
TokenCredential managedIdentityCredential = (new
ManagedIdentityCredentialBuilder()).clientId(clientId)
.build();
String accessToken = ((AccessToken) managedIdentityCredential
.getToken((new TokenRequestContext()).addScopes(new
String[] { "https://ssp-demo-db8.mysql.database.azure.com/.default" })).
block()).getToken();
But when I am running this code as K8S pod, I am getting this error -
2024-05-10 07:44:08.990 [main] [DEBUG]
com.azure.identity.ManagedIdentityCredential - Azure Identity => Found the
following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID
2024-05-10 07:44:09.131 [main] [DEBUG]
com.azure.core.implementation.util.Providers - Using
com.azure.core.http.netty.NettyAsyncHttpClientProvider as the default
com.azure.core.http.HttpClientProvider.
2024-05-10 07:44:10.636 [ForkJoinPool.commonPool-worker-1] [ERROR]
com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in
getToken() call for scopes [
https://ssp-demo-db8.mysql.database.azure.com/.default]: Managed Identity
authentication is not available.
CredentialUnavailableException: Managed Identity authentication is not
available.},
[com.azure.identity.implementation.IdentityClient.lambda$authenticateWithManagedIdentityConfidentialClient$25(IdentityClient.java:563),
reactor.core.publisher.Mono.lambda$onErrorMap$28(Mono.java:3783),
reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94),
reactor.core.publisher.MonoFlatMap$FlatMapMain.secondError(MonoFlatMap.java:241),
reactor.core.publisher.MonoFlatMap$FlatMapInner.onError(MonoFlatMap.java:315),
reactor.core.publisher.MonoCompletionStage$MonoCompletionStageSubscription.apply(MonoCompletionStage.java:119),
reactor.core.publisher.MonoCompletionStage$MonoCompletionStageSubscription.apply(MonoCompletionStage.java:71),
java.base/java.util.concurrent.CompletableFuture.uniHandle(CompletableFuture.java:934),
java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(CompletableFuture.java:911),
java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510),
java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1773),
java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1760),
java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373),
java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182),
java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655),
java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622),
java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165)]
Can you please help to correct or fix this issue as I have been blocked for
the last 2 weeks?
I have already opened an official case (Case *2405100030001925)* with
Microsoft for this issue and there has been no progress till now.
Regards,
Yashpal
…On Fri, May 24, 2024 at 4:17 AM Bill Wert ***@***.***> wrote:
Hello! Can you help me understand the scenario? Generally these
credentials are used in the context of one of our service clients (such as
KeyVaultClient.) Is that also failing, and you are simplifying the repro
here? Can you try a scope like https://vault.azure.net or
https://management.azure.com?
—
Reply to this email directly, view it on GitHub
<#40090 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ATLYJAXECR7LDQSGOWGSS6DZDZWYBAVCNFSM6AAAAABHOHTNZOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRYGE2TMNRWGQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I am using using azure-identity library with version 1.12.0.
I have followed all the steps to enabled workload-identity as mentioned in https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster.
Following is the snippet of code I am using -
DefaultAzureCredential managedIdentityCredentialUserAssigned = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("bd947a20-baf1-4009-ab9a-c8aa361527a6").build();
Here bd947a20-baf1-4009-ab9a-c8aa361527a6 is clientId corresponding to the managed Identity.
managedIdentityCredentialUserAssigned.getToken() is throwing following error -
2024-05-09 06:07:41.760 [main] [DEBUG] com.azure.core.implementation.ReflectionUtils - Attempting to use java.lang.invoke package to handle reflection.
2024-05-09 06:07:41.763 [main] [DEBUG] com.azure.core.implementation.ReflectionUtils - Successfully used java.lang.invoke package to handle reflection.
2024-05-09 06:07:41.771 [main] [DEBUG] com.azure.identity.EnvironmentCredential - Azure Identity => Found the following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID
2024-05-09 06:07:41.772 [main] [DEBUG] com.azure.identity.EnvironmentCredential - Azure Identity => ERROR in EnvironmentCredential: Failed to create a ClientSecretCredential or ClientCertificateCredential. Missing required environment variable either AZURE_CLIENT_SECRET or AZURE_CLIENT_CERTIFICATE_PATH
2024-05-09 06:07:41.773 [main] [DEBUG] com.azure.identity.EnvironmentCredential - Azure Identity => ERROR in EnvironmentCredential: Failed to determine an authentication scheme based on the available environment variables. Please specify AZURE_TENANT_ID and AZURE_CLIENT_SECRET to authenticate through a ClientSecretCredential; AZURE_TENANT_ID and AZURE_CLIENT_CERTIFICATE_PATH to authenticate through a ClientCertificateCredential; or AZURE_USERNAME and AZURE_PASSWORD to authenticate through a UserPasswordCredential.
2024-05-09 06:07:41.909 [main] [DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => Found the following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID
2024-05-09 06:07:41.910 [main] [DEBUG] com.azure.identity.SharedTokenCacheCredential - Azure Identity => Found the following environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID
[DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.
2024-05-09 06:07:42.012 [main] [INFO] com.azure.identity.ChainedTokenCredential - Azure Identity => Attempted credential EnvironmentCredential is unavailable.
2024-05-09 06:07:42.038 [main] [DEBUG] com.azure.core.implementation.util.Providers - Using com.azure.core.http.netty.NettyAsyncHttpClientProvider as the default com.azure.core.http.HttpClientProvider.
2024-05-09 06:07:42.117 [main] [WARN] com.azure.core.http.netty.implementation.Utility - The following Netty dependencies have versions that do not match the versions specified in the azure-core-http-netty pom.xml file. This may result in unexpected behavior. If your application runs without issue this message can be ignored, otherwise please update the Netty dependencies to match the versions specified in the pom.xml file. Versions found in runtime: 'io.netty:netty-codec' version: 4.1.100.Final (expected: 4.1.101.Final)
2024-05-09 06:07:43.361 [ForkJoinPool.commonPool-worker-1] [INFO] com.azure.identity.ChainedTokenCredential - Azure Identity => Attempted credential WorkloadIdentityCredential is unavailable.
2024-05-09 06:07:43.370 [ForkJoinPool.commonPool-worker-1] [DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.
2024-05-09 06:07:43.370 [ForkJoinPool.commonPool-worker-1] [INFO] com.azure.identity.ChainedTokenCredential - Azure Identity => Attempted credential ManagedIdentityCredential is unavailable.
2024-05-09 06:07:43.375 [ForkJoinPool.commonPool-worker-2] [DEBUG] com.azure.identity.implementation.IdentityClient - SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
The text was updated successfully, but these errors were encountered: