Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KV extension for Linux "Identity not found" Error in Managed Identity Authentication #124819

Open
RotemDror opened this issue Nov 10, 2024 · 1 comment
Open

KV extension for Linux "Identity not found" Error in Managed Identity Authentication #124819

RotemDror opened this issue Nov 10, 2024 · 1 comment
Assignees
@ManoharLakkoju-MSFT
Labels
cxp KV extension for Linux with Managed Identities/svc Pri3 product-issue triaged

Comments

@RotemDror
Copy link

RotemDror commented Nov 10, 2024
edited
Loading

While implementing the Azure Key Vault VM Extension for Linux to manage certificates, I encountered the following error during the token acquisition process via the Azure Instance Metadata Service (IMDS):

Error:

[MSIHttpClient]    MSI URL: http://169.254.169.254/metadata/identity/oauth2/token/?api-version=2018-02-01&authority=https://login.microsoftonline.com/{TENANTID}&resource=https://vault.azure.net&client_id={Managed ID Client ID}

[MSIAuthClient]    failed to retrieve MSI token from response: {"error":"invalid_request","error_description":"Identity not found"}

Service: KV extension for Linux with Managed Identities

Version
3.3.2652.112

Status message
Failed to download one or more certificates, retrying...

Docs:

  1. https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-linux?tabs=version3 ,
  2. https://learn.microsoft.com/en-us/azure/linux-workloads/createlinuxvmsecurewebserver/readme#deploying-akv-extension-for-vm-vm_name-to-retrieve-cert-cert_name-from-akv-akv_name

Steps to Reproduce:

Configured a managed identity for an Azure Virtual Machine (VM).
Installed and configured the Azure Key Vault VM Extension for Linux to retrieve certificates.
During the extension's operation, the above error was logged, indicating a failure to acquire the necessary token.

Expected Outcome:

The extension should successfully retrieve an access token for the managed identity to authenticate against Azure Key Vault and manage certificates as configured.

Actual Outcome:

The token acquisition process failed with the "Identity not found" error, preventing the extension from functioning as intended.
Somehow I can see the cert in the folder (Maybe as part of the "requireInitialSync")

cli commands:



MY_CERT_ID=$(az keyvault certificate show --vault-name $MY_KEY_VAULT --name $MY_CERT_NAME --query sid -o tsv)
MY_VM_CLIENTID=$(az identity show --resource-group $MY_RESOURCE_GROUP_NAME --name $MY_VM_ID_NAME --query clientId -o tsv)

MY_AKV_EXT_SETTINGS="{\"secretsManagementSettings\":{\"pollingIntervalInS\":\"3600\",\"requireInitialSync\":true,\"certificateStoreLocation\":\"{*the path to my cert*}/\",\"observedCertificates\":[\"$MY_CERT_ID\"]},\"authenticationSettings\":{\"msiEndpoint\":\"http://169.254.169.254/metadata/identity/oauth2/token\",\"msiClientId\":\"${MY_VM_CLIENTID}\"}}"


az vm extension set \
    --resource-group $MY_RESOURCE_GROUP_NAME \
    --vm-name $MY_VM_NAME \
    -n "KeyVaultForLinux" \
    --publisher Microsoft.Azure.KeyVault \
    --version 2.0 \
    --enable-auto-upgrade true \
    --settings $MY_AKV_EXT_SETTINGS -o JSON
@TPavanBalaji
Copy link
Contributor

@RotemDror
Thanks for your feedback! We will investigate and update as appropriate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ManoharLakkoju-MSFT ManoharLakkoju-MSFT

Labels
cxp KV extension for Linux with Managed Identities/svc Pri3 product-issue triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ManoharLakkoju-MSFT @TPavanBalaji @RotemDror