Azure storage account rejects the issuer of a managed service identity

3
votes

I'm using the Microsoft.Azure.Services.AppAuthentication library (v1.0.3) for .NET to connect from Azure Function app to blob storage using managed service identity. Auth code:

var tokenProvider = new AzureServiceTokenProvider();
string accessToken = await tokenProvider.GetAccessTokenAsync("https://storage.azure.com/");
var tokenCredential = new TokenCredential(accessToken);
var credentials = new StorageCredentials(tokenCredential);
var storageUri = new Uri($"https://{accountName}.blob.core.windows.net");
var client = new CloudBlobClient(storageUri, credentials);

One existing storage account refuses to accept the MSI regardless of given RBAC roles:

Microsoft.WindowsAzure.Storage.StorageException: Server failed to authenticate the request.
Make sure the value of Authorization header is formed correctly including the signature.
   at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteAsyncInternal[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext, CancellationToken token)
   at Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer.CreateIfNotExistsAsync(BlobContainerPublicAccessType accessType, BlobRequestOptions options, OperationContext operationContext, CancellationToken cancellationToken)

Additional exception details of storageException.RequestInformation.ExtendedErrorInformation.AdditionalDetails complain that AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.

When decoding the failing jwt token, the issuer seems ok: 

{
  "aud": "https://storage.azure.com/",
  "iss": "https://sts.windows.net/<my directory guid>/",
  ...
}

When I created new identically set up storage accounts then the same function app MSI and auth code worked and even the issuer in token were exactly the same. So the client function app and it's MSI identity are not the culprit here.

Why does this one storage account fail to authorize and how to get it to accept the MSI?

UPDATE: Cross posted to MS forum to get MS attention in verifying if this is an azure bug.

2
azureazure-active-directoryazure-functionsazure-storage-blobsazure-managed-identity
Did you have an access policy of the blob storage container?Joy Wang-MSFT
If the issuer contains the id for the AAD where your storage account's subscription is connected, then this sounds like a bug on the Storage side. Remember it's a preview ;)juunas
@JoyWang, no, the test container has had no access policies set.Imre Pühvel
@juunas Has a good question: Are you sure that the storage account is in an Azure subscription that is associated with the same Azure AD tenant as MSI is in?Philippe Signoret
@PhilippeSignoret yes, they are in the same Azure directory. and storage account portal GUI detects the MSI account for RBAC role assignment with no problems.Imre Pühvel

2 Answers

0
votes

I test with your Auth code and both existing and new created Storage account accept MSI. So I approve with what juunas said, it may be an bug on Azure Storage.

You could go to here to give your feedback to let developers fix it.

0
votes

Even after checking with MS, it is unclear what was the cause, but moving the affected subscriptions to another Azure AD directory seems to have fixed the issue.