Skip to content

[BUG] Documentation Improvement for MSI Errors #36722

New issue
New issue
Open
Open
[BUG] Documentation Improvement for MSI Errors#36722
Assignees
scottaddie
Labels
Azure.IdentityClientThis issue points to a problem in the data-plane of the library.Docscustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamsuggestion
Milestone
 
Backlog
@abenisek

Description

@abenisek
abenisek
opened on Sep 12, 2023

Describe the bug
Although it is recommended to use a System Assigned Managed Service Identity, I have some recommendations for the docs for people who do choose to use the user-assigned identity. I found the docs to be slightly misleading and it resulted in me spending a few hours trying to debug.

Errors I received:

  1. ForbiddenByRBAC - why: because the system identity was being used by the host (not the user-assigned) which had not RBAC on the keyvault I was trying to reach.
  2. No user assigned identity or delegated managed identity found or specified. - why: because I had removed the system assigned identity & did not provide a client_id, so the host was trying to request a token w/o an identity.

My suggestions for improving the docs that would have helped me reach these conclusions sooner:

  1. On the docs for linking a user assigned MSI in the portal, please explicitly call out the environment variables that need to be added to app configuration for the user-assigned MSI to be used when requesting a token. From my understanding, a client ID must be in the env. variables and explicitly added when creating the DefaultAzureCredential or making an http request for the token.

  2. In the troubleshooting guide, there is a recommendation to check the token endpoint.
    a. I'm not sure the URL of the token endpoint listed in the curl command is accurate - I believe localhost IP is used. I'd recommend updating this to suggest using the URL of the Env variable.
    b. suggest people easy ways to access the environment variables (nice resource provided from MS community)
    c. provide recommendations for what to try if the endpoint doesn't work / doesn't exist. For example, try with a system assigned identity, make sure you have the client ID defined where you are requesting the token, etc.

To Reproduce

  1. make an app service
  2. link a user-assigned MSI
  3. try to get a token for keyvault using the .NET Azure.Identity.DefaultAzureCredential w/o a client ID specified.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • [x ] Bug Description Added
  • [x ] Repro Steps Added
  • [x ] Setup information Added

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.Docscustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamsuggestion

Type

No type

Projects

Azure Identity SDK Improvements

Status

Not Started

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions