Unable to use autounsealing with Azure, ManagedIdentityCredential authentication failed

[needsupport911]

Describe the bug
After updating from version 2.0.1 to 2.2.1(and 2.2.2), Openbao cannot log in to Azure anymore with Managed Identity.

To Reproduce
Azure steps:

Provision Azure Key Vault
Configure Federated Identity Credential
Assign Key Vault permissions to identity

Kubernetes steps:

Install Openbao on Azure Kubernetes Services
Add pod label azure.workload.identity/use: "true"
Add service account annotation: azure.workload.identity/client-id: "managed-identity-client-id"
Configure raft with seal seal "azurekeyvault" {} https://openbao.org/docs/configuration/seal/azurekeyvault/
Restart Openbao server

Error message

Error parsing Seal configuration: error fetching Azure Key Vault wrapper key information: ManagedIdentityCredential authentication failed. ManagedIdentityCredential authentication failed. the requested identity isn't assigned to this resource
GET http://169.254.169.254/metadata/identity/oauth2/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
  "error": "invalid_request",
  "error_description": "Identity not found"
}
--------------------------------------------------------------------------------
To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#managed-id

Expected behavior
Openbao uses Azure Workload Identity to authenticate to Azure.

Environment

• Kubernetes version: 1.31.2
  • Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): AKS
• openbao-helm version: tested on 2.2.1 and 2.2.2

Chart values:

server:
  serviceAccount:
    annotations:
      azure.workload.identity/client-id: "SET_BY_ARGOCD"
  extraLabels:
    azure.workload.identity/use: "true"
  extraEnvironmentVars:
    VAULT_SEAL_TYPE: "SET_BY_ARGOCD"
    VAULT_AZUREKEYVAULT_VAULT_NAME: "SET_BY_ARGOCD"
    VAULT_AZUREKEYVAULT_KEY_NAME: "SET_BY_ARGOCD"

Additional context
Found similar topic which has been resolved in Hashicorp issues:
hashicorp/vault#29717

[UXabre]

I did some testing, so far I noticed it worked until 2.1.1 (latest version that I can see in 2.1). From v2.2.0-beta20250213 it stopped working with the aforementioned error. So that at least narrows the potential issues down.

Link to changes that I'll sift through
openbao/openbao@v2.1.0...v2.2.0-beta20250213

I think/hope with the similar in issue in vault I'll find it fast!

EDIT1: I see go-kms-wrapping for azurekeyvault was updated from v2.1.0 to v.2.2.0. Changes I'm looking into https://github.com/openbao/go-kms-wrapping/compare/wrappers/azurekeyvault/v2.1.0..wrappers/azurekeyvault/v2.2.0. This also updated upstream packages from microsoft. In the linked PR from vault, they did change the implementation drastically so this is something that I'll check out

[cipherboy]

@UXabre Is this perhaps related to/addressed in openbao/go-kms-wrapping#29 by @arminfelder? I think @pree had some comments and then we could merge it, but it happened to miss the v2.3.0-beta window, so it'd likely be best in v2.4.0, though I suppose it'd be a bug fix so we could put in v2.3.0 GA or v2.3.1. as well.

[ochnerd]

Hey I'm stuck with the same problem. it seems openbao/go-kms-wrapping#29 resolves the problem. Any idea which release will include it?

[arminfelder]

@cipherboy yes that is exactly the issue I worked on, the Hashicorp implementation is buggy and does not work with workload identity, with openbao/go-kms-wrapping#29 it will work fine